From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Thu, 9 Dec 2010 11:05:07 +0000 (+0000)
Subject: [0000312] Prevented directory traversal
X-Git-Tag: v2.4.2~19^2~418
X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=commitdiff_plain;h=8fd829d5e77e537a5c252dd53ee703a18230f091;p=fa-stable.git

[0000312] Prevented directory traversal
---

diff --git a/admin/attachments.php b/admin/attachments.php
index d87b510c..1ad50d69 100644
--- a/admin/attachments.php
+++ b/admin/attachments.php
@@ -103,7 +103,7 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
 		$unique_name = uniqid('');
 		move_uploaded_file($tmpname, $dir."/".$unique_name);
 		//save the file
-		$filename = $_FILES['filename']['name'];
+		$filename = basename($_FILES['filename']['name']);
 		$filesize = $_FILES['filename']['size'];
 		$filetype = $_FILES['filename']['type'];
 	}
diff --git a/admin/company_preferences.php b/admin/company_preferences.php
index 899c039a..d944fefb 100644
--- a/admin/company_preferences.php
+++ b/admin/company_preferences.php
@@ -46,11 +46,10 @@ if (isset($_POST['update']) && $_POST['update'] != "")
 		{
 			mkdir($filename);
 		}
-		$filename .= "/".$_FILES['pic']['name'];
+		$filename .= "/".clean_file_name($_FILES['pic']['name']);
 
 		 //But check for the worst
-		if (!in_array((substr(trim($_FILES['pic']['name']),-3)), 
-			array('jpg','JPG','png','PNG')))
+		if (!in_array( substr($filename,-3), array('jpg','JPG','png','PNG')))
 		{
 			display_error(_('Only jpg and png files are supported - a file extension of .jpg or .png is expected'));
 			$input_error = 1;
@@ -78,14 +77,14 @@ if (isset($_POST['update']) && $_POST['update'] != "")
 		if ($input_error != 1)
 		{
 			$result  =  move_uploaded_file($_FILES['pic']['tmp_name'], $filename);
-			$_POST['coy_logo'] = $_FILES['pic']['name'];
+			$_POST['coy_logo'] = clean_file_name($_FILES['pic']['name']);
 			if(!$result) 
 				display_error(_('Error uploading logo file'));
 		}
 	}
 	if (check_value('del_coy_logo'))
 	{
-		$filename = company_path()."/images/".$_POST['coy_logo'];
+		$filename = company_path()."/images/".clean_file_name($_POST['coy_logo']);
 		if (file_exists($filename))
 		{
 			$result = unlink($filename);
diff --git a/admin/display_prefs.php b/admin/display_prefs.php
index d792f104..4c90ec78 100644
--- a/admin/display_prefs.php
+++ b/admin/display_prefs.php
@@ -30,6 +30,7 @@ if (isset($_POST['setprefs']))
 		display_error( _("Query size must be integer and greater than zero."));
 		set_focus('query_size');
 	} else {
+		$_POST['theme'] = clean_file_name($_POST['theme']);
 		$chg_theme = user_theme() != $_POST['theme'];
 		$chg_lang = $_SESSION['language']->code != $_POST['language'];