Permalink
Browse files

v3.0.6 - Improve security, consistency of codebase

-v3.0.6.
-Add a check to ensure a generated .AppData user-data package actually belongs to the user it's being delivered to.
-Removed redundant code from compatibilityCore.
-Add the backupUserDataNow and downloadUserData API calls to sanitizeCore (their values are never used, but sanitizeCore contains the official API reference so these should really be in there).
-Changed to an exec function from shell_exec.
  • Loading branch information...
zelon88 committed Jan 30, 2019
1 parent b7963dc commit d75b74aab80decf3e6b3561489a648aa654625f5
Showing with 36 additions and 15 deletions.
  1. +11 −1 CHANGELOG.txt
  2. +2 −9 compatibilityCore.php
  3. +18 −0 sanitizeCore.php
  4. +4 −4 settingsCore.php
  5. +1 −1 versionInfo.php
@@ -1,5 +1,15 @@
COMMIT 1/30/2019
v3.0.6 - Improve security, consistency of codebase.

-v3.0.6.
-Add a check to ensure a generated .AppData user-data package actually belongs to the user it's being delivered to.
-Removed redundant code from compatibilityCore.
-Add the backupUserDataNow and downloadUserData API calls to sanitizeCore (their values are never used, but sanitizeCore contains the official API reference so these should really be in there).
-Changed to an exec function from shell_exec.

----------
COMMIT 1/29/2019
v3.0.5 - Add option to export user data
v3.0.5 - Add option to export user data.

-v3.0.5.
-Add option to the settings page for exporting user data (logs, cache, bookmarks, notes, ect...)
@@ -2,7 +2,7 @@
/*
HRCLOUD2 VERSION INFORMATION
THIS VERSION : v3.0.5
THIS VERSION : v3.0.6
WRITTEN ON : 1/29/2019
*/
@@ -36,14 +36,7 @@
// / -----------------------------------------------------------------------------------
// / -----------------------------------------------------------------------------------
// / The following code sets the global variables for the session.
$ClearCachePOST = str_replace('..', '', str_replace(str_split('./[]{};:$!#^&%@>*<'), '', $_POST['ClearCache']));
$AutoUpdatePOST = str_replace('..', '', str_replace(str_split('./[]{};:$!#^&%@>*<'), '', $_POST['AutoUpdate']));
$AutoDownloadPOST = str_replace('..', '', str_replace(str_split('./[]{};:$!#^&%@>*<'), '', $_POST['AutoDownload']));
$AutoInstallPOST = str_replace('..', '', str_replace(str_split('./[]{};:$!#^&%@>*<'), '', $_POST['AutoInstall']));
$AutoCleanPOST = str_replace('..', '', str_replace(str_split('./[]{};:$!#^&%@>*<'), '', $_POST['AutoClean']));
$CheckCompatPOST = str_replace('..', '', str_replace(str_split('./[]{};:$!#^&%@>*<'), '', $_POST['CheckCompatibility']));
$CheckPermsPOST = str_replace('..', '', str_replace(str_split('./[]{};:$!#^&%@>*<'), '', $_POST['CheckPermissions']));
// / The following code sets the global variables for the session.
$ResourceDir = $InstLoc.'/Resources/TEMP';
$ResourceDir1 = $ResourceDir.'/HRCloud2-master';
$UpdatedZIP1 = $ResourceDir.'/HRC2UPDATE1.zip';
@@ -66,6 +66,24 @@
if (isset($_POST['GenClientHomepage'])) $GenClientHomepage = htmlentities(str_replace('..', '', str_replace(str_split('\\~#[]{};:$!#^&%@>*<"\''), '', $_POST['GenClientHomepage'])), ENT_QUOTES, 'UTF-8');
// / -----------------------------------------------------------------------------------
// / -----------------------------------------------------------------------------------
// / The following code sets variables for generating client-side Apps based on user supplied specs.
if (isset($_POST['GenerateClient'])) $GenerateClient = htmlentities(str_replace('..', '', str_replace(str_split('\\~#[]{};:$!#^&%@>*<"\''), '', $_POST['GenerateClient'])), ENT_QUOTES, 'UTF-8');
if (isset($_POST['GenClientOS'])) $GenClientOS = htmlentities(str_replace('..', '', str_replace(str_split('\\~#[]{};:$!#^&%@>*<"\''), '', $_POST['GenClientOS'])), ENT_QUOTES, 'UTF-8');
if (isset($_POST['GenClientCPU'])) $GenClientCPU = htmlentities(str_replace('..', '', str_replace(str_split('\\~#[]{};:$!#^&%@>*<"\''), '', $_POST['GenClientCPU'])), ENT_QUOTES, 'UTF-8');
if (isset($_POST['GenClientHomepage'])) $GenClientHomepage = htmlentities(str_replace('..', '', str_replace(str_split('\\~#[]{};:$!#^&%@>*<"\''), '', $_POST['GenClientHomepage'])), ENT_QUOTES, 'UTF-8');
// / -----------------------------------------------------------------------------------
// / -----------------------------------------------------------------------------------
// / The following code sets variables for generating an AppData package (the user specific data, GDPR compliance) to the users Cloud drive.
if (isset($_POST['downloadAppData'])) $DownloadAppData = htmlentities(str_replace('..', '', str_replace(str_split('\\~#[]{};:$!#^&%@>*<"\''), '', $_POST['downloadAppData'])), ENT_QUOTES, 'UTF-8');
// / -----------------------------------------------------------------------------------
// / -----------------------------------------------------------------------------------
// / The following code triggers the backupCore (when used as administrator).
if (isset($_POST['backupUserDataNow'])) $BackupUserDataNow = htmlentities(str_replace('..', '', str_replace(str_split('\\~#[]{};:$!#^&%@>*<"\''), '', $_POST['backupUserDataNow'])), ENT_QUOTES, 'UTF-8');
// / -----------------------------------------------------------------------------------
// / -----------------------------------------------------------------------------------
// / ONLY ADMINISTRATORS CAN SET COMPRESSION SETTINGS !!!
// / Can be used by administrators to set data compression settings for user uploaded content.
@@ -351,13 +351,13 @@ function selectChanged(id1, id2) {
// / -----------------------------------------------------------------------------------
// / The following code generates a copy of the users AppData directory to their cloud drive in .zip format.
if (isset($_POST['downloadAppData'])) {
if (is_dir($LogLoc)) {
if (isset($DownloadAppData)) {
if (is_dir($LogLoc) && strpos($LogLoc, $UserID) !== FALSE && strpos($CloudUsrDir, $UserID) !== FALSE && strpos($CloudTmpDir, $UserID) !== FALSE) {
$archDst = $CloudUsrDir.'User-Data_'.$Date.'.zip';
$archTempDst = $CloudTmpDir.'User-Data_'.$Date.'.zip';
$txt = 'OP-Act: Executing "zip -j '.$archDst.' '.$LogLoc.' -x *Shared*" on '.$Time.'.';
$MAKELogFile = file_put_contents($LogFile, $txt.PHP_EOL, FILE_APPEND);
shell_exec('cd '.$CloudUsrDir.'; zip -r '.$archDst.' .AppData -x *Shared*');
exec('cd '.$CloudUsrDir.'; zip -r '.$archDst.' .AppData -x *Shared*');
@copy($archDst, $archTempDst);
echo('Generated a copy of your User Data to your Cloud Drive! | <a href="'.$URL.'/HRProprietary/HRCloud2/DATA/'.$UserID.'/User-Data_'.$Date.'.zip"><strong>Download Now</strong></a>.'.$br.'</hr>'); }
else {
@@ -368,7 +368,7 @@ function selectChanged(id1, id2) {
// / -----------------------------------------------------------------------------------
// / The following code loads the backupCore to perform an admin on-demand backup
if (isset($_POST['backupUserDataNow'])) {
if (isset($BackupUserDataNow)) {
if (!file_exists(realpath(dirname(__FILE__)).'/backupCore.php')) die ('</head><body>ERROR!!! HRC2SettingsCore355, Cannot process the HRCloud2 Backup Core file (backupCore.php)!<br /></body></html>');
else require(realpath(dirname(__FILE__)).'/backupCore.php');
echo('Backup Complete!'.$br);
@@ -1,4 +1,4 @@
<?php
// / This file contains the current HRCloud2 version for auto-update purposes.
// /
$Version = 'v3.0.5';
$Version = 'v3.0.6';

0 comments on commit d75b74a

Please sign in to comment.