Fix upload of not wanted files in File Manager

2022-03-09 17:27:08 +01:00 · 2022-03-09 17:27:08 +01:00 · 73838ef843
parent 223475d546
commit 73838ef843
7 changed files with 200 additions and 79 deletions
--- a/pandora_console/godmode/servers/plugin.php
+++ b/pandora_console/godmode/servers/plugin.php
@ -262,7 +262,8 @@ if ($filemanager) {
            'index.php?sec=gservers&sec2=godmode/servers/plugin'.$chunck_url.'&plugin_command=[FILE_FULLPATH]&id_plugin='.$id_plugin,
            true,
            0775,
-            false
+            false,
            ['all' => true]
        );
    }
--- a/pandora_console/godmode/setup/file_manager.php
+++ b/pandora_console/godmode/setup/file_manager.php
@ -65,13 +65,22 @@ $real_directory = realpath($config['homedir'].'/'.$directory);
 echo '<h4>'.__('Index of %s', $directory).'</h4>';
-$upload_file_or_zip = (bool) get_parameter('upload_file_or_zip');
+$upload_file = (bool) get_parameter('upload_file');
 $create_text_file   = (bool) get_parameter('create_text_file');
 $default_real_directory = realpath($config['homedir'].'/');
-if ($upload_file_or_zip === true) {
+if ($upload_file === true) {
-    upload_file($upload_file_or_zip, $default_real_directory, $real_directory);
+    upload_file(
        $upload_file,
        $default_real_directory,
        $real_directory,
        [
            MIME_TYPES['jpg'],
            MIME_TYPES['png'],
            MIME_TYPES['gif'],
        ]
    );
 }
 if ($create_text_file === true) {
@ -89,5 +98,6 @@ filemanager_file_explorer(
    false,
    '',
    false,
-    false
+    false,
    []
 );
--- a/pandora_console/include/constants.php
+++ b/pandora_console/include/constants.php
@ -788,6 +788,7 @@ define('AUDIT_LOG_MASSIVE_MANAGEMENT', 'Massive operation management');
 define('AUDIT_LOG_POLICY_MANAGEMENT', 'Policy management');
 define('AUDIT_LOG_AGENT_REMOTE_MANAGEMENT', 'Agent remote configuration');
 define('AUDIT_LOG_FILE_COLLECTION', 'File collection');
 define('AUDIT_LOG_FILE_MANAGER', 'File manager');
 define('AUDIT_LOG_ALERT_MANAGEMENT', 'Alert management');
 define('AUDIT_LOG_ALERT_CORRELATION_MANAGEMENT', 'Alert correlation management');
 define('AUDIT_LOG_VISUAL_CONSOLE_MANAGEMENT', 'Visual Console Management');
@ -796,3 +797,58 @@ define('AUDIT_LOG_SNMP_MANAGEMENT', 'SNMP management');
 define('AUDIT_LOG_DASHBOARD_MANAGEMENT', 'Dashboard management');
 define('AUDIT_LOG_SERVICE_MANAGEMENT', 'Service management');
 define('AUDIT_LOG_INCIDENT_MANAGEMENT', 'Incident management');
 // MIMEs.
 define(
    'MIME_TYPES',
    [
        'txt'  => 'text/plain',
        'htm'  => 'text/html',
        'html' => 'text/html',
        'php'  => 'text/html',
        'css'  => 'text/css',
        'js'   => 'application/javascript',
        'json' => 'application/json',
        'xml'  => 'application/xml',
        'swf'  => 'application/x-shockwave-flash',
        'flv'  => 'video/x-flv',
        // Images.
        'png'  => 'image/png',
        'jpe'  => 'image/jpeg',
        'jpeg' => 'image/jpeg',
        'jpg'  => 'image/jpeg',
        'gif'  => 'image/gif',
        'bmp'  => 'image/bmp',
        'ico'  => 'image/vnd.microsoft.icon',
        'tiff' => 'image/tiff',
        'tif'  => 'image/tiff',
        'svg'  => 'image/svg+xml',
        'svgz' => 'image/svg+xml',
        // Archives.
        'zip'  => 'application/zip',
        'rar'  => 'application/x-rar-compressed',
        'exe'  => 'application/x-msdownload',
        'msi'  => 'application/x-msdownload',
        'cab'  => 'application/vnd.ms-cab-compressed',
        'gz'   => 'application/x-gzip',
        'gz'   => 'application/x-bzip2',
        // Audio/Video.
        'mp3'  => 'audio/mpeg',
        'qt'   => 'video/quicktime',
        'mov'  => 'video/quicktime',
        // Adobe.
        'pdf'  => 'application/pdf',
        'psd'  => 'image/vnd.adobe.photoshop',
        'ai'   => 'application/postscript',
        'eps'  => 'application/postscript',
        'ps'   => 'application/postscript',
        // MS Office.
        'doc'  => 'application/msword',
        'rtf'  => 'application/rtf',
        'xls'  => 'application/vnd.ms-excel',
        'ppt'  => 'application/vnd.ms-powerpoint',
        // Open Source Office files.
        'odt'  => 'application/vnd.oasis.opendocument.text',
        'ods'  => 'application/vnd.oasis.opendocument.spreadsheet',
    ]
 );
--- a/pandora_console/include/functions_filemanager.php
+++ b/pandora_console/include/functions_filemanager.php
@ -14,7 +14,7 @@
 * |___|   |___._|__|__|_____||_____|__| |___._| |___|   |__|_|__|_______|
 *
 * ============================================================================
- * Copyright (c) 2005-2021 Artica Soluciones Tecnologicas
+ * Copyright (c) 2005-2022 Artica Soluciones Tecnologicas
 * Please see http://pandorafms.org for full contribution list
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
@ -48,69 +48,22 @@ if (function_exists('mime_content_type') === false) {
     */
    function mime_content_type(string $filename)
    {
        $mime_types = [
            'txt'  => 'text/plain',
            'htm'  => 'text/html',
            'html' => 'text/html',
            'php'  => 'text/html',
            'css'  => 'text/css',
            'js'   => 'application/javascript',
            'json' => 'application/json',
            'xml'  => 'application/xml',
            'swf'  => 'application/x-shockwave-flash',
            'flv'  => 'video/x-flv',
            // Images.
            'png'  => 'image/png',
            'jpe'  => 'image/jpeg',
            'jpeg' => 'image/jpeg',
            'jpg'  => 'image/jpeg',
            'gif'  => 'image/gif',
            'bmp'  => 'image/bmp',
            'ico'  => 'image/vnd.microsoft.icon',
            'tiff' => 'image/tiff',
            'tif'  => 'image/tiff',
            'svg'  => 'image/svg+xml',
            'svgz' => 'image/svg+xml',
            // Archives.
            'zip'  => 'application/zip',
            'rar'  => 'application/x-rar-compressed',
            'exe'  => 'application/x-msdownload',
            'msi'  => 'application/x-msdownload',
            'cab'  => 'application/vnd.ms-cab-compressed',
            'gz'   => 'application/x-gzip',
            'gz'   => 'application/x-bzip2',
            // Audio/Video.
            'mp3'  => 'audio/mpeg',
            'qt'   => 'video/quicktime',
            'mov'  => 'video/quicktime',
            // Adobe.
            'pdf'  => 'application/pdf',
            'psd'  => 'image/vnd.adobe.photoshop',
            'ai'   => 'application/postscript',
            'eps'  => 'application/postscript',
            'ps'   => 'application/postscript',
            // MS Office.
            'doc'  => 'application/msword',
            'rtf'  => 'application/rtf',
            'xls'  => 'application/vnd.ms-excel',
            'ppt'  => 'application/vnd.ms-powerpoint',
            // Open Source Office files.
            'odt'  => 'application/vnd.oasis.opendocument.text',
            'ods'  => 'application/vnd.oasis.opendocument.spreadsheet',
        ];
        $ext_fields = explode('.', $filename);
        $ext = array_pop($ext_fields);
        $ext = strtolower($ext);
-        if (array_key_exists($ext, $mime_types) === true) {
+        if (array_key_exists($ext, MIME_TYPES) === true) {
-            return $mime_types[$ext];
+            return MIME_TYPES[$ext];
        } else if (function_exists('finfo_open') === true) {
            $finfo = finfo_open(FILEINFO_MIME);
            $mimetype = finfo_file($finfo, $filename);
            finfo_close($finfo);
            return $mimetype;
        } else {
-            error_log('Warning: Cannot find finfo_open function. Fileinfo extension is not enabled. Please add "extension=fileinfo.so" or "extension=fileinfo.dll" in your php.ini');
+            db_pandora_audit(
                AUDIT_LOG_FILE_MANAGER,
                'Warning: Cannot find finfo_open function. Fileinfo extension is not enabled. Please add "extension=fileinfo.so" or "extension=fileinfo.dll" in your php.ini'
            );
            return 'unknown';
        }
    }
@ -129,10 +82,12 @@ require_once $config['homedir'].'/vendor/autoload.php';
 * @param boolean $upload_file_or_zip     Upload file or zip.
 * @param string  $default_real_directory String with default directory.
 * @param string  $destination_directory  String with destination directory.
 * @param array   $filterFilesType        If come filled, filter uploaded files with this extensions.
 *
 * @throws Exception Exception.
 * @return void
 */
-function upload_file($upload_file_or_zip, $default_real_directory, $destination_directory)
+function upload_file($upload_file_or_zip, $default_real_directory, $destination_directory, $filterFilesType=[])
 {
    global $config;
    $config['filemanager'] = [];
@ -179,13 +134,24 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
                // controlled by corresponding .htaccess).
                $config['filemanager']['message'] = ui_print_error_message(__('Security error'));
            } else {
                $result = false;
                // Copy file to directory and change name.
                $nombre_archivo = sprintf('%s/%s', $real_directory, $filename);
                try {
                    $mimeContentType = mime_content_type($_FILES['file']['tmp_name']);
                    if (empty($filterFilesType) === true || in_array($mimeContentType, $filterFilesType) === true) {
                        $result = copy($_FILES['file']['tmp_name'], $nombre_archivo);
                    } else {
                        $error_message = 'The uploaded file is not allowed. Only gif, png or jpg files can be uploaded.';
                        throw new Exception(__($error_message));
                    }
                } catch (Exception $ex) {
-                    $result = false;
+                    db_pandora_audit(
                        AUDIT_LOG_FILE_MANAGER,
                        'Error Uploading files: '.$ex->getMessage()
                    );
                    $config['filemanager']['message'] = ui_print_error_message(__('Upload error').': '.$ex->getMessage());
                }
                if ($result === true) {
@ -203,8 +169,6 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
                    $config['filemanager']['correct_upload_file'] = 1;
                    // Delete temporal file.
                    unlink($_FILES['file']['tmp_name']);
                } else {
                    $config['filemanager']['message'] = ui_print_error_message(__('Upload error'));
                }
            }
        }
@ -496,7 +460,7 @@ function filemanager_read_recursive_dir($dir, $relative_path='', $add_empty_dirs
 * @param boolean $download_button     The flag to show download button, by default false.
 * @param string  $umask               The umask as hex values to set the new files or updload.
 * @param boolean $homedir_filemanager Homedir filemanager.
- * @param boolean $allowCreateText     If true, 'Create Text' button will be shown.
+ * @param array   $options             Associative array. ['all' => true] will show all options. Check function for valid options.
 */
 function filemanager_file_explorer(
    $real_directory,
@ -509,7 +473,7 @@ function filemanager_file_explorer(
    $download_button=false,
    $umask='',
    $homedir_filemanager=false,
-    $allowCreateText=true
+    $options=[]
 ) {
    global $config;
@ -517,6 +481,9 @@ function filemanager_file_explorer(
    $real_directory = str_replace('\\', '/', $real_directory);
    $relative_directory = str_replace('\\', '/', $relative_directory);
    $father = str_replace('\\', '/', $father);
    // Options.
    $allowZipFiles = (isset($options['all']) === true) || ((isset($options['allowZipFiles']) === true) && ($options['allowZipFiles'] === true));
    $allowCreateText = (isset($options['all']) === true) || ((isset($options['allowCreateText']) === true) && ($options['allowCreateText'] === true));
    if ($homedir_filemanager === false) {
        $homedir_filemanager = $config['homedir'];
@ -839,15 +806,86 @@ function filemanager_file_explorer(
            $tabs_dialog .= '</ul>';
-            echo '<div id="create_folder" class="invisible">'.$tabs_dialog.'
+            // Create folder section.
-            <form method="post" action="'.$url.'">'.html_print_input_text('dirname', '', '', 30, 255, true).html_print_submit_button(__('Create'), 'crt', false, 'class="sub next"', true).html_print_input_hidden('directory', $relative_directory, true).html_print_input_hidden('create_dir', 1, true).html_print_input_hidden('hash', md5($relative_directory.$config['server_unique_identifier']), true).html_print_input_hidden('hash2', md5($relative_directory.$config['server_unique_identifier']), true).'</form></div>';
+            $createFolderElements = $tabs_dialog;
            $createFolderElements .= sprintf('<form method="POST" action="%s">', $url);
            $createFolderElements .= html_print_input_text('dirname', '', '', 30, 255, true);
            $createFolderElements .= html_print_submit_button(__('Create'), 'crt', false, 'class="sub next"', true);
            $createFolderElements .= html_print_input_hidden('directory', $relative_directory, true);
            $createFolderElements .= html_print_input_hidden('create_dir', 1, true);
            $createFolderElements .= html_print_input_hidden('hash', md5($relative_directory.$config['server_unique_identifier']), true);
            $createFolderElements .= html_print_input_hidden('hash2', md5($relative_directory.$config['server_unique_identifier']), true);
            $createFolderElements .= '</form>';
-            echo '<div id="upload_file" class="invisible"> '.$tabs_dialog.'
+            html_print_div(
-            <form method="post" action="'.$url.'" enctype="multipart/form-data">'.ui_print_help_tip(__('The zip upload in this dir, easy to upload multiple files.'), true).html_print_input_file('file', true, false).html_print_input_hidden('umask', $umask, true).html_print_checkbox('decompress', 1, false, true).__('Decompress').html_print_submit_button(__('Go'), 'go', false, 'class="sub next"', true).html_print_input_hidden('real_directory', $real_directory, true).html_print_input_hidden('directory', $relative_directory, true).html_print_input_hidden('hash', md5($real_directory.$relative_directory.$config['server_unique_identifier']), true).html_print_input_hidden('hash2', md5($relative_directory.$config['server_unique_identifier']), true).html_print_input_hidden('upload_file_or_zip', 1, true).'</form></div>';
+                [
                    'id'      => 'create_folder',
                    'class'   => 'invisible',
                    'content' => $createFolderElements,
                ]
            );
            // Upload file section.
            $uploadFileElements = $tabs_dialog;
            $uploadFileElements .= sprintf('<form method="POST" action="%s" enctype="multipart/form-data">', $url);
            $uploadFileElements .= html_print_input_hidden('umask', $umask, true);
            if ($allowZipFiles === true) {
                $uploadFileElements .= ui_print_help_tip(__('The zip upload in this dir, easy to upload multiple files.'), true);
                $uploadFileElements .= html_print_input_file('file', true, false);
                $uploadFileElements .= html_print_checkbox('decompress', 1, false, true).__('Decompress');
                $uploadFileElements .= html_print_input_hidden('upload_file_or_zip', 1, true);
            } else {
                $uploadFileElements .= html_print_div(
                    [
                        'id'      => 'upload_file_input_full',
                        'content' => html_print_input_file(
                            'file',
                            true,
                            [ 'style' => 'border:0; padding:0; width:100%' ]
                        ),
                    ],
                    true
                );
                $uploadFileElements .= html_print_input_hidden('upload_file', 1, true);
            }
            $uploadFileElements .= html_print_submit_button(__('Go'), 'go', false, 'class="sub next"', true);
            $uploadFileElements .= html_print_input_hidden('real_directory', $real_directory, true);
            $uploadFileElements .= html_print_input_hidden('directory', $relative_directory, true);
            $uploadFileElements .= html_print_input_hidden('hash', md5($real_directory.$relative_directory.$config['server_unique_identifier']), true);
            $uploadFileElements .= html_print_input_hidden('hash2', md5($relative_directory.$config['server_unique_identifier']), true);
            $uploadFileElements .= '</form>';
            html_print_div(
                [
                    'id'      => 'upload_file',
                    'class'   => 'invisible',
                    'content' => $uploadFileElements,
                ]
            );
            // Create text section.
            if ($allowCreateText === true) {
-                echo ' <div id="create_text_file" class="invisible">'.$tabs_dialog.'
+                $createTextElements = $tabs_dialog;
-                <form method="post" action="'.$url.'">'.html_print_input_text('name_file', '', '', 30, 50, true).html_print_submit_button(__('Create'), 'create', false, 'class="sub next"', true).html_print_input_hidden('real_directory', $real_directory, true).html_print_input_hidden('directory', $relative_directory, true).html_print_input_hidden('hash', md5($real_directory.$relative_directory.$config['server_unique_identifier']), true).html_print_input_hidden('umask', $umask, true).html_print_input_hidden('create_text_file', 1, true).'</form></div>';
+                $createTextElements .= '<form method="post" action="'.$url.'">';
                $createTextElements .= html_print_input_text('name_file', '', '', 30, 50, true);
                $createTextElements .= html_print_submit_button(__('Create'), 'create', false, 'class="sub next"', true);
                $createTextElements .= html_print_input_hidden('real_directory', $real_directory, true);
                $createTextElements .= html_print_input_hidden('directory', $relative_directory, true);
                $createTextElements .= html_print_input_hidden('hash', md5($real_directory.$relative_directory.$config['server_unique_identifier']), true);
                $createTextElements .= html_print_input_hidden('umask', $umask, true);
                $createTextElements .= html_print_input_hidden('create_text_file', 1, true);
                $createTextElements .= '</form>';
                html_print_div(
                    [
                        'id'      => 'create_text_file',
                        'class'   => 'invisible',
                        'content' => $createTextElements,
                    ]
                );
            }
            echo "<div style='width: ".$table->width.";' class='file_table_buttons'>";
--- a/pandora_console/include/functions_html.php
+++ b/pandora_console/include/functions_html.php
@ -4267,6 +4267,10 @@ function html_print_input_file($name, $return=false, $options=false)
        if (isset($options['onchange'])) {
            $output .= ' onchange="'.$options['onchange'].'"';
        }
        if (isset($options['style']) === true) {
            $output .= ' style="'.$options['style'].'"';
        }
    }
    $output .= ' />';
--- a/pandora_console/include/styles/pandora.css
+++ b/pandora_console/include/styles/pandora.css
@ -5092,6 +5092,17 @@ input:checked + .p-slider:before {
  margin-top: 10px;
 }
 #upload_file #upload_file_input_full {
  width: 100%;
  border: 1px solid #cbcbcb;
  border-radius: 2px;
  padding: 5px 0;
 }
 #upload_file_input_full input#file-file::-webkit-file-upload-button {
  margin-left: 5px;
 }
 .file_table_modal_active {
  background-color: #fff;
  border: 1px solid #e6e6e6;
--- a/pandora_console/operation/snmpconsole/snmp_mib_uploader.php
+++ b/pandora_console/operation/snmpconsole/snmp_mib_uploader.php
@ -108,5 +108,6 @@ filemanager_file_explorer(
    '',
    false,
    '',
-    false
+    false,
    ['all' => true]
 );