projects
/
fa-stable.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
fd15091
)
Fixed security issues in file uploads.
author
Janusz Dobrowolski
<janusz@frontaccounting.eu>
Thu, 6 Mar 2014 23:57:47 +0000
(
00:57
+0100)
committer
Janusz Dobrowolski
<janusz@frontaccounting.eu>
Mon, 10 Mar 2014 09:29:51 +0000
(10:29 +0100)
admin/attachments.php
patch
|
blob
|
history
admin/company_preferences.php
patch
|
blob
|
history
admin/inst_lang.php
patch
|
blob
|
history
includes/main.inc
patch
|
blob
|
history
inventory/includes/inventory_db.inc
patch
|
blob
|
history
diff --git
a/admin/attachments.php
b/admin/attachments.php
index 9540327a47a2aab99751be678356a287e9e4774b..2f41d80c14cc15cef973f5dedb2e4b3b0b1232e9 100644
(file)
--- a/
admin/attachments.php
+++ b/
admin/attachments.php
@@
-108,7
+108,10
@@
if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
// protect against directory traversal
if ($Mode == 'UPDATE_ITEM')
{
// protect against directory traversal
if ($Mode == 'UPDATE_ITEM')
{
- $unique_name = preg_replace('/[^a-zA-Z0-9.\-_]/', '', $_POST['unique_name']);
+ $row = get_attachment($selected_id);
+ if ($row['filename'] == "")
+ exit();
+ $unique_name = $row['unique_name'];
if ($filename && file_exists($dir."/".$unique_name))
unlink($dir."/".$unique_name);
}
if ($filename && file_exists($dir."/".$unique_name))
unlink($dir."/".$unique_name);
}
diff --git
a/admin/company_preferences.php
b/admin/company_preferences.php
index 8762378dcd6573eaf0b16ecfbd084cb0061c9ffe..9859cc8cfcb12a3ab839a48aa0acfbd9d3a70104 100644
(file)
--- a/
admin/company_preferences.php
+++ b/
admin/company_preferences.php
@@
-49,7
+49,7
@@
if (isset($_POST['update']) && $_POST['update'] != "")
$filename .= "/".clean_file_name($_FILES['pic']['name']);
//But check for the worst
$filename .= "/".clean_file_name($_FILES['pic']['name']);
//But check for the worst
- if (!in_array( substr($filename,-
3), array('jpg','JPG','png','
PNG')))
+ if (!in_array( substr($filename,-
4), array('.jpg','.JPG','.png','.
PNG')))
{
display_error(_('Only jpg and png files are supported - a file extension of .jpg or .png is expected'));
$input_error = 1;
{
display_error(_('Only jpg and png files are supported - a file extension of .jpg or .png is expected'));
$input_error = 1;
diff --git
a/admin/inst_lang.php
b/admin/inst_lang.php
index 805969ffa0514dfa35cd892c6c4ed2eed6b06f5f..d533944f71c466e045c5cd2b335effc0fb789d6c 100644
(file)
--- a/
admin/inst_lang.php
+++ b/
admin/inst_lang.php
@@
-169,7
+169,8
@@
function handle_submit($id)
if (is_uploaded_file($_FILES['uploadfile']['tmp_name']))
{
$file1 = $_FILES['uploadfile']['tmp_name'];
if (is_uploaded_file($_FILES['uploadfile']['tmp_name']))
{
$file1 = $_FILES['uploadfile']['tmp_name'];
- $file2 = $directory . "/LC_MESSAGES/".$_POST['code'].".po";
+ $code = preg_replace('/[^a-zA-Z_]/', '', $_POST['code']);
+ $file2 = $directory . "/LC_MESSAGES/$code.po";
if (file_exists($file2))
unlink($file2);
move_uploaded_file($file1, $file2);
if (file_exists($file2))
unlink($file2);
move_uploaded_file($file1, $file2);
@@
-177,7
+178,8
@@
function handle_submit($id)
if (is_uploaded_file($_FILES['uploadfile2']['tmp_name']))
{
$file1 = $_FILES['uploadfile2']['tmp_name'];
if (is_uploaded_file($_FILES['uploadfile2']['tmp_name']))
{
$file1 = $_FILES['uploadfile2']['tmp_name'];
- $file2 = $directory . "/LC_MESSAGES/".$_POST['code'].".mo";
+ $code = preg_replace('/[^a-zA-Z_]/', '', $_POST['code']);
+ $file2 = $directory . "/LC_MESSAGES/$code.mo";
if (file_exists($file2))
unlink($file2);
move_uploaded_file($file1, $file2);
if (file_exists($file2))
unlink($file2);
move_uploaded_file($file1, $file2);
@@
-292,4
+294,4
@@
if (isset($_GET['popup']) || get_post('Add') || $Mode == 'Edit' || $Mode == 'ADD
//---------------------------------------------------------------------------------------------
end_page();
//---------------------------------------------------------------------------------------------
end_page();
-?>
\ No newline at end of file
+?>
diff --git
a/includes/main.inc
b/includes/main.inc
index e6b7f9f8a48ed4b096610adc5b2e15ca19281f4e..db1576bf50d748ad38b2b0bdd7b1b160dfcba57d 100644
(file)
--- a/
includes/main.inc
+++ b/
includes/main.inc
@@
-348,6
+348,7
@@
function find_custom_file($rep)
Changes all not POSIX compatible chars to underscore.
*/
function clean_file_name($filename) {
Changes all not POSIX compatible chars to underscore.
*/
function clean_file_name($filename) {
+ $filename = str_replace(chr(0), '', $filename);
return preg_replace('/[^a-zA-Z0-9.\-_]/', '_', $filename);
}
return preg_replace('/[^a-zA-Z0-9.\-_]/', '_', $filename);
}
diff --git
a/inventory/includes/inventory_db.inc
b/inventory/includes/inventory_db.inc
index 34f7b3d94de0864d63602607d21ee224ba9adc96..79fda1196e44bc13f6811f186c7fc8082ab0d8c7 100644
(file)
--- a/
inventory/includes/inventory_db.inc
+++ b/
inventory/includes/inventory_db.inc
@@
-27,7
+27,8
@@
include_once($path_to_root . "/inventory/includes/db/items_units_db.inc");
function item_img_name($stock_id)
{
function item_img_name($stock_id)
{
- return strtr($stock_id, "><\\/:|*?", '________');
+ $stock_id = strtr($stock_id, "><\\/:|*?", '________');
+ return clean_file_name($stock_id);
}
}
-?>
\ No newline at end of file
+?>