Skip to content
Permalink
Browse files Browse the repository at this point in the history
Security! Check and verify paths used by move_uploaded_file
 - Make sure uploaded files can only be saved in the USER-FILES
   subfolder
  • Loading branch information
torinfo committed Mar 22, 2021
1 parent 76a7c73 commit 1672d6f
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 0 deletions.
11 changes: 11 additions & 0 deletions editor/uploadImage.php
Expand Up @@ -71,6 +71,17 @@ function sanitizeName($file, &$response)
exit(-1);
}

// Check upload path, should contain USER-FILES
if (strpos($_REQUEST['uploadURL'], 'USER-FILES') === false)
{
// Invalid folder, reject!
$response->uploaded = 0;
$response->error = IMAGEUPOLOAD_NOT_UPLOADED;

echo json_encode($response);
exit(-1);
}

if (isset($_FILES['upload']['error']) && $_FILES['upload']['error'] != 0)
{
switch($_FILES['upload']['error']) {
Expand Down
2 changes: 2 additions & 0 deletions modules/decision/engine/upload.php
Expand Up @@ -96,6 +96,8 @@
$pass = false;
if (strpos($_FILES['Filedata']['name'], '...') !== false)
$pass = false;
if (strpos($_GET['path'], 'USER-FILES') === false)
$pass = false;

if ($pass === false) {
receive_message($_SESSION['toolkits_logon_username'], "UPLOAD", "CRITICAL", "Invalid filename: " . $_FILES['Filedata']['name'], "Invalid filename: " . $_FILES['Filedata']['name']);
Expand Down
2 changes: 2 additions & 0 deletions modules/site/engine/upload.php
Expand Up @@ -79,6 +79,8 @@
$pass = false;
if (strpos($_FILES['Filedata']['name'], '...') !== false)
$pass = false;
if (strpos($_GET['path'], 'USER-FILES') === false)
$pass = false;

if ($pass === false) {
receive_message($_SESSION['toolkits_logon_username'], "UPLOAD", "CRITICAL", "Invalid filename: " . $_FILES['Filedata']['name'], "Invalid filename: " . $_FILES['Filedata']['name']);
Expand Down
6 changes: 6 additions & 0 deletions website_code/php/import/fileupload.php
Expand Up @@ -55,6 +55,12 @@ function convertToBytes(string $from): ?int {
_debug("Session is invalid or expired");
die("Session is invalid or expired");
}
if (strpos($_POST['mediapath'], 'USER-FILES') === false)
{
// Invalid upload path
_debug("Invalid or illegal mediapath");
die("Invalid or illegal mediapath");
}

_load_language_file("/website_code/php/import/fileupload.inc");

Expand Down

0 comments on commit 1672d6f

Please sign in to comment.