tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

#11780 Check mib upload security

This commit is contained in:
miguel angel rasteu 2023-08-24 12:19:15 +02:00
parent 9e747e9952
commit 44467d1ce1
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pandora_console/include/functions_filemanager.php
View File

@ -125,9 +125,11 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
if (isset($_FILES['file']) === true && empty($_FILES['file']['name']) === false) { if (isset($_FILES['file']) === true && empty($_FILES['file']['name']) === false) {
$filename = $_FILES['file']['name']; $filename = $_FILES['file']['name'];
$real_directory = filemanager_safe_directory($destination_directory); $real_directory = filemanager_safe_directory($destination_directory);
$extension = pathinfo($filename, PATHINFO_EXTENSION);
$umask = io_safe_output((string) get_parameter('umask')); $umask = io_safe_output((string) get_parameter('umask'));
if (strpos($real_directory, $default_real_directory) !== 0) { if (strpos($real_directory, $default_real_directory) !== 0 || (strtolower($extension) !== 'mib' && strtolower($extension) !== 'zip')) {
// Perform security check to determine whether received upload // Perform security check to determine whether received upload
// directory is part of the default path for caller uploader and // directory is part of the default path for caller uploader and
// user is not trying to access an external path (avoid // user is not trying to access an external path (avoid
@ -184,7 +186,21 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
$filepath = $_FILES['file']['tmp_name']; $filepath = $_FILES['file']['tmp_name'];
$real_directory = filemanager_safe_directory($destination_directory); $real_directory = filemanager_safe_directory($destination_directory);
if (strpos($real_directory, $default_real_directory) !== 0) { // Security control structure.
$zip = new \ZipArchive;
$secure = true;
if ($zip->open($filepath) === true) {
for ($i = 0; $i < $zip->numFiles; $i++) {
$unzip_filename = $zip->getNameIndex($i);
$extension = pathinfo($unzip_filename, PATHINFO_EXTENSION);
if (strtolower($extension) !== 'mib') {
$secure = false;
break;
}
}
}
if (strpos($real_directory, $default_real_directory) !== 0 || $secure === false) {
// Perform security check to determine whether received upload // Perform security check to determine whether received upload
// directory is part of the default path for caller uploader // directory is part of the default path for caller uploader
// and user is not trying to access an external path (avoid // and user is not trying to access an external path (avoid