Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Attempt at security fix. Needs more work to make this more robust.
git-svn-id: https://xerteonlinetoolkits.googlecode.com/svn/trunk@618 912cdd6b-5c7d-d5a7-a2ba-d0f0cdb91641
  • Loading branch information
juliantenney committed Jan 8, 2013
1 parent b0ac30e commit 9fa2620
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 2 deletions.
5 changes: 5 additions & 0 deletions modules/xerte/engine/save.php
Expand Up @@ -11,6 +11,11 @@

require_once("../../../config.php");

if(!isset($_SESSION['toolkits_logon_username'])) {
print "You are not logged in.";
exit();
}

$savepath = str_replace("preview.xml","data.xml",$_POST['filename']);

/**
Expand Down
19 changes: 17 additions & 2 deletions modules/xerte/engine/upload.php
Expand Up @@ -11,12 +11,27 @@

require_once("../../../config.php");

if(!isset($_SESSION['toolkits_logon_username'])) {
print "You are not logged in.";
exit();
}

$page_sought = explode("=",$_SERVER['REQUEST_URI']);

// SECURITY / TODO / XXX - someone can use this to upload an arbitrary file to a place of their choosing on the server
$pass = true;
if (strpos($_FILES['Filedata']['name'], '../') !== false) $pass = false;
if (strpos($_FILES['Filedata']['name'], '.exe') !== false) $pass = false;
if (strpos($_FILES['Filedata']['name'], '...') !== false) $pass = false;

if ($pass === false){
print "Invalid File Name";
exit();
}


$new_file_name = $xerte_toolkits_site->root_file_path . $page_sought[1] . $_FILES['Filedata']['name'];

// SECURITY / TODO / XXX - someone can use this to upload an arbitrary file to a place of their choosing on the server
// (assuming it's writeable); $_FILES['x']['name'] can contain ../../ as it's user supplied.
if(move_uploaded_file($_FILES['Filedata']['tmp_name'], $new_file_name)){
}else{
}

0 comments on commit 9fa2620

Please sign in to comment.