diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 8d29c28..fa08862 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,11 @@ +COMMIT 11/18/2018 +v1.5 - Improve sanitization. + +-v1.5. +-Improve sanitization. +-Based on input from neogeovr on Reddit. + +-------------------- COMMIT 10/24/2018 v1.4 - Fix bugs with auto cleanup of files. diff --git a/sanitizeCore.php b/sanitizeCore.php index 7458830..f8181a1 100644 --- a/sanitizeCore.php +++ b/sanitizeCore.php @@ -37,16 +37,16 @@ // / ----------------------------------------------------------------------------------- // / Sanitize the Token GET variable. if (isset($_POST['Token1'])) { - $Token1 = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_POST['Token1']); } + $Token1 = str_replace('//', '/', str_replace('..', '', str_replace(str_split('|~#[](){};:$!#^&%@>*<"\''), '', $_POST['Token1']))); } if (isset($_POST['Token2'])) { - $Token2 = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_POST['Token2']); } + $Token2 = str_replace('//', '/', str_replace('..', '', str_replace(str_split('|~#[](){};:$!#^&%@>*<"\''), '', $_POST['Token2']))); } // / ----------------------------------------------------------------------------------- // / ----------------------------------------------------------------------------------- // / Sanitize the noGui GET variable to disable the descriptive header text. // / Good for usage in a small iframe. if (isset($_POST['noGui'])) { - $_GET = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_GET['noGui']); } + $_GET = str_replace('//', '/', str_replace('..', '', str_replace(str_split('|~#[](){};:$!#^&%@>*<"\''), '', $_GET['noGui']))); } // / ----------------------------------------------------------------------------------- // / ----------------------------------------------------------------------------------- diff --git a/scanCore.php b/scanCore.php index 25b8228..166b01a 100644 --- a/scanCore.php +++ b/scanCore.php @@ -50,7 +50,7 @@ // / ----------------------------------------------------------------------------------- // / The following code sets the global variables for the session. -$HRScanVersion = 'v1.4'; +$HRScanVersion = 'v1.5'; $versions = 'PHP-AV App v3.8 | Virus Definition v4.7, 8/19/2018'; $Date = date("m_d_y"); $Time = date("F j, Y, g:i a"); @@ -69,14 +69,14 @@ $ScanGuiCounter1 = $ConsolidateLogs = 0; $LogFile = $LogDir.'/HRScan2_'.$LogInc.'_'.$Date.'_'.substr($SesHash4, -7).'_'.substr($SesHash, -7).'.txt'; $ClamLogFileName = 'ClamScan_'.$Date.'_'.substr($SesHash4, -7).'_'.substr($SesHash, -7).'.txt'; -$ClamLogFile = $ScanDir.'/'.$ClamLogFileName; -$ClamLogTempFile = $ScanTempDir.'/'.$ClamLogFileName; +$ClamLogFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanDir.'/'.$ClamLogFileName))); +$ClamLogTempFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanTempDir.'/'.$ClamLogFileName))); $PHPAVLogFileName = 'PHPAVScan_'.$Date.'_'.substr($SesHash4, -7).'_'.substr($SesHash, -7).'.txt'; -$PHPAVLogFile = $ScanDir.'/'.$PHPAVLogFileName; -$PHPAVLogTempFile = $ScanTempDir.'/'.$PHPAVLogFileName; +$PHPAVLogFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanDir.'/'.$PHPAVLogFileName))); +$PHPAVLogTempFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanTempDir.'/'.$PHPAVLogFileName))); $ConsolidatedLogFileName = 'ScanAll_'.$Date.'_'.substr($SesHash4, -7).'_'.substr($SesHash, -7).'.txt'; -$ConsolidatedLogFile = $ScanDir.'/'.$ConsolidatedLogFileName; -$ConsolidatedLogTempFile = $ScanTempDir.'/'.$ConsolidatedLogFileName; +$ConsolidatedLogFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanDir.'/'.$ConsolidatedLogFileName))); +$ConsolidatedLogTempFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanTempDir.'/'.$ConsolidatedLogFileName))); $defaultLogDir = $InstLoc.'/Logs'; $defaultLogSize = '1048576'; $defaultApps = array('index.html', '.', '..', '..'); diff --git a/versionInfo.php b/versionInfo.php index 1518da9..ae0c2fd 100644 --- a/versionInfo.php +++ b/versionInfo.php @@ -1,4 +1,4 @@