From: Janusz Dobrowolski Date: Thu, 6 Mar 2014 23:57:47 +0000 (+0100) Subject: Fixed security issues in file uploads. X-Git-Tag: 2.3-final~154 X-Git-Url: https://delta.frontaccounting.com/gitweb/?p=fa-stable.git;a=commitdiff_plain;h=14f56ab219f12c3e2b1dec21f356505f1f8292bd Fixed security issues in file uploads. --- diff --git a/admin/attachments.php b/admin/attachments.php index 9540327a..2f41d80c 100644 --- a/admin/attachments.php +++ b/admin/attachments.php @@ -108,7 +108,10 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM') // protect against directory traversal if ($Mode == 'UPDATE_ITEM') { - $unique_name = preg_replace('/[^a-zA-Z0-9.\-_]/', '', $_POST['unique_name']); + $row = get_attachment($selected_id); + if ($row['filename'] == "") + exit(); + $unique_name = $row['unique_name']; if ($filename && file_exists($dir."/".$unique_name)) unlink($dir."/".$unique_name); } diff --git a/admin/company_preferences.php b/admin/company_preferences.php index 8762378d..9859cc8c 100644 --- a/admin/company_preferences.php +++ b/admin/company_preferences.php @@ -49,7 +49,7 @@ if (isset($_POST['update']) && $_POST['update'] != "") $filename .= "/".clean_file_name($_FILES['pic']['name']); //But check for the worst - if (!in_array( substr($filename,-3), array('jpg','JPG','png','PNG'))) + if (!in_array( substr($filename,-4), array('.jpg','.JPG','.png','.PNG'))) { display_error(_('Only jpg and png files are supported - a file extension of .jpg or .png is expected')); $input_error = 1; diff --git a/admin/inst_lang.php b/admin/inst_lang.php index 805969ff..d533944f 100644 --- a/admin/inst_lang.php +++ b/admin/inst_lang.php @@ -169,7 +169,8 @@ function handle_submit($id) if (is_uploaded_file($_FILES['uploadfile']['tmp_name'])) { $file1 = $_FILES['uploadfile']['tmp_name']; - $file2 = $directory . "/LC_MESSAGES/".$_POST['code'].".po"; + $code = preg_replace('/[^a-zA-Z_]/', '', $_POST['code']); + $file2 = $directory . "/LC_MESSAGES/$code.po"; if (file_exists($file2)) unlink($file2); move_uploaded_file($file1, $file2); @@ -177,7 +178,8 @@ function handle_submit($id) if (is_uploaded_file($_FILES['uploadfile2']['tmp_name'])) { $file1 = $_FILES['uploadfile2']['tmp_name']; - $file2 = $directory . "/LC_MESSAGES/".$_POST['code'].".mo"; + $code = preg_replace('/[^a-zA-Z_]/', '', $_POST['code']); + $file2 = $directory . "/LC_MESSAGES/$code.mo"; if (file_exists($file2)) unlink($file2); move_uploaded_file($file1, $file2); @@ -292,4 +294,4 @@ if (isset($_GET['popup']) || get_post('Add') || $Mode == 'Edit' || $Mode == 'ADD //--------------------------------------------------------------------------------------------- end_page(); -?> \ No newline at end of file +?> diff --git a/includes/main.inc b/includes/main.inc index e6b7f9f8..db1576bf 100644 --- a/includes/main.inc +++ b/includes/main.inc @@ -348,6 +348,7 @@ function find_custom_file($rep) Changes all not POSIX compatible chars to underscore. */ function clean_file_name($filename) { + $filename = str_replace(chr(0), '', $filename); return preg_replace('/[^a-zA-Z0-9.\-_]/', '_', $filename); } diff --git a/inventory/includes/inventory_db.inc b/inventory/includes/inventory_db.inc index 34f7b3d9..79fda119 100644 --- a/inventory/includes/inventory_db.inc +++ b/inventory/includes/inventory_db.inc @@ -27,7 +27,8 @@ include_once($path_to_root . "/inventory/includes/db/items_units_db.inc"); function item_img_name($stock_id) { - return strtr($stock_id, "><\\/:|*?", '________'); + $stock_id = strtr($stock_id, "><\\/:|*?", '________'); + return clean_file_name($stock_id); } -?> \ No newline at end of file +?>