Skip to content

Commit

Permalink
Security: block another case of remote execution vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
lem9 committed Apr 24, 2013
1 parent d3fafdf commit 1f6bc0b
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 7 deletions.
6 changes: 3 additions & 3 deletions export.php
Original file line number Diff line number Diff line change
Expand Up @@ -272,10 +272,10 @@ function PMA_exportOutputHandler($line)
'Export/file_template_table', $filename_template);
}
}
// remove dots in template to avoid a remote code execution vulnerability
$filename_template = str_replace('.', '', $filename_template);
$filename = PMA_expandUserString($filename_template);
$filename = PMA_sanitize_filename($filename);
// remove dots in filename (coming from either the template or already
// part of the filename) to avoid a remote code execution vulnerability
$filename = PMA_sanitize_filename($filename, $replaceDots = true);

// Grab basic dump extension and mime type
// Check if the user already added extension; get the substring where the extension would be if it was included
Expand Down
19 changes: 15 additions & 4 deletions libraries/sanitizing.lib.php
Original file line number Diff line number Diff line change
Expand Up @@ -134,18 +134,29 @@ function PMA_sanitize($message, $escape = false, $safe = false)


/**
* Sanitize a filename by removing anything besides A-Za-z0-9_.-
* Sanitize a filename by removing anything besides legit characters
*
* Intended usecase:
* When using a filename in a Content-Disposition header the value should not contain ; or "
* When using a filename in a Content-Disposition header the value
* should not contain ; or "
*
* When exporting, avoiding generation of an unexpected double-extension file
*
* @param string The filename
* @param boolean Whether to also replace dots
*
* @return string the sanitized filename
*
*/
function PMA_sanitize_filename($filename) {
$filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename);
function PMA_sanitize_filename($filename, $replaceDots = false) {
$pattern = '/[^A-Za-z0-9_';
// if we don't have to replace dots
if (! $replaceDots) {
// then add the dot to the list of legit characters
$pattern .= '.';
}
$pattern .= '-]/';
$filename = preg_replace($pattern, '_', $filename);
return $filename;
}

Expand Down

0 comments on commit 1f6bc0b

Please sign in to comment.