security checks on extensions renaming - fixing #249 (PHP conn.)

simogeo · Apr 9, 2014 · fd348ec · fd348ec
1 parent 74f36c1
commit fd348ec
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 48 deletions.
diff --git a/connectors/php/filemanager.class.php b/connectors/php/filemanager.class.php
@@ -336,6 +336,11 @@ public function rename() {
 		if(!$this->isValidPath($old_file)) {
 			$this->error("No way.");
 		}
+
+		// we check if the new given extension is allowed regarding the security Policy settings
+		if($this->config['security']['allowChangeExtensions'] && !$this->isAllowedFileType($new_file)) {
+			$this->error(sprintf($this->lang('INVALID_FILE_TYPE')));
+		}
 
 		$this->__log(__METHOD__ . ' - renaming '. $old_file. ' to ' . $new_file);
 
@@ -983,12 +988,12 @@ private function isAllowedFileType($file) {
 	if($this->config['security']['uploadPolicy'] == 'DISALLOW_ALL') {
 
 		if(!in_array(strtolower($path_parts['extension']), $exts))
-			$this->error(sprintf($this->lang('INVALID_FILE_TYPE')),true);
+			return false;
 	}
 	if($this->config['security']['uploadPolicy'] == 'ALLOW_ALL') {
 
 		if(in_array(strtolower($path_parts['extension']), $exts))
-			$this->error(sprintf($this->lang('INVALID_FILE_TYPE')),true);
+			return false;
 	}
 
 	return true;

diff --git a/scripts/filemanager.js b/scripts/filemanager.js
@@ -621,14 +621,31 @@ var renameItem = function(data) {
 		rname = m.children('#rname').val();
 
 		if(rname != ''){
+
 			var givenName = rname;
+
  			if (! config.security.allowChangeExtensions) {
 				givenName = nameFormat(rname);
 				var suffix = getExtension(data['Filename']);	
 				if(suffix.length > 0) {
 					givenName = givenName + '.' + suffix;
 				}
- 			}			
+ 			}
+
+ 			// Check if file extension is allowed
+			if (!isAuthorizedFile(givenName)) { 
+				var str = '<p>' + lg.INVALID_FILE_TYPE + '</p>';
+				if(config.security.uploadPolicy == 'DISALLOW_ALL') {
+					str += '<p>' + lg.ALLOWED_FILE_TYPE +  config.security.uploadRestrictions.join(', ') + '.</p>';
+				}
+				if(config.security.uploadPolicy == 'ALLOW_ALL') {
+					str += '<p>' + lg.DISALLOWED_FILE_TYPE +  config.security.uploadRestrictions.join(', ') + '.</p>';
+				}
+				$("#filepath").val('');
+				$.prompt(str); 
+				return false;
+			}
+
 			var oldPath = data['Path'];	
 			var connectString = fileConnector + '?mode=rename&old=' + data['Path'] + '&new=' + givenName;