From f2e7911580d86e0c75edeabc3ce5b106c9f23151 Mon Sep 17 00:00:00 2001 From: Janusz Dobrowolski Date: Wed, 24 Nov 2010 18:01:38 +0000 Subject: [PATCH] [0000281] Filename saitization added --- admin/attachments.php | 7 +++++-- admin/db/maintenance_db.inc | 2 +- includes/main.inc | 8 ++++++++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/admin/attachments.php b/admin/attachments.php index 30090517..d87b510c 100644 --- a/admin/attachments.php +++ b/admin/attachments.php @@ -94,8 +94,11 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM') fwrite($fp, $index_file); fclose($fp); } - if ($Mode == 'UPDATE_ITEM' && file_exists($dir."/".$_POST['unique_name'])) - unlink($dir."/".$_POST['unique_name']); + // file name compatible with POSIX + // protect against directory traversal + $unique_name = preg_replace('/[^a-zA-Z0-9.\-_]/', '', $_POST['unique_name']); + if ($Mode == 'UPDATE_ITEM' && file_exists($dir."/".$unique_name)) + unlink($dir."/".$unique_name); $unique_name = uniqid(''); move_uploaded_file($tmpname, $dir."/".$unique_name); diff --git a/admin/db/maintenance_db.inc b/admin/db/maintenance_db.inc index e453c97b..81fc0abc 100644 --- a/admin/db/maintenance_db.inc +++ b/admin/db/maintenance_db.inc @@ -438,7 +438,7 @@ function db_backup($conn, $ext='no', $comm='', $tbpref = TB_PREF) else $filename = $conn['dbname'] . "_" . date("Ymd_Hi") . ".sql"; - return db_export($conn, $filename, $ext, $comm, $tbpref); + return db_export($conn, clean_file_name($filename), $ext, $comm, $tbpref); } // generates a dump of $db database diff --git a/includes/main.inc b/includes/main.inc index b89f4496..3d94aeb6 100644 --- a/includes/main.inc +++ b/includes/main.inc @@ -343,5 +343,13 @@ function find_custom_file($rep) return null; } +/* + + Protect against directory traversal. + Changes all not POSIX compatible chars to underscore. +*/ +function clean_file_name($filename) { + return preg_replace('/[^a-zA-Z0-9.\-_]/', '_', $filename); +} ?> \ No newline at end of file -- 2.30.2