From a0c311c1105590db35161cd7a9c055749e9a8df3 Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Mon, 30 Jan 2023 19:47:02 +0100 Subject: [PATCH 1/2] fixed vulnerability --- .../godmode/setup/file_manager.php | 16 ++++++++++++++++ .../include/functions_filemanager.php | 19 ++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/pandora_console/godmode/setup/file_manager.php b/pandora_console/godmode/setup/file_manager.php index 6f54f2f0a8..272eab74f0 100644 --- a/pandora_console/godmode/setup/file_manager.php +++ b/pandora_console/godmode/setup/file_manager.php @@ -87,6 +87,22 @@ $create_text_file = (bool) get_parameter('create_text_file'); $default_real_directory = realpath($config['homedir'].'/'); +$_FILES['file']['name'] = '../test3.jpeg'; + +// Remove double dot in filename path. +$file_name = $_FILES['file']['name']; +$path_parts = explode('/', $file_name); + +$stripped_parts = array_filter( + $path_parts, + function ($value) { + return $value !== '..'; + } +); + +$stripped_path = implode('/', $stripped_parts); +$_FILES['file']['name'] = $stripped_path; + if ($upload_file === true) { upload_file( $upload_file, diff --git a/pandora_console/include/functions_filemanager.php b/pandora_console/include/functions_filemanager.php index 94e16e822b..3242fadcb0 100644 --- a/pandora_console/include/functions_filemanager.php +++ b/pandora_console/include/functions_filemanager.php @@ -139,8 +139,25 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_ $nombre_archivo = sprintf('%s/%s', $real_directory, $filename); try { $mimeContentType = mime_content_type($_FILES['file']['tmp_name']); + $fileExtension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION); - if (empty($filterFilesType) === true || in_array($mimeContentType, $filterFilesType) === true) { + $validFileExtension = true; + + if (empty($fileExtension) === false) { + $filtered_types = array_filter( + $filterFilesType, + function ($value) use ($fileExtension) { + $mimeTypeExtensionName = explode('/', $value)[1]; + return $mimeTypeExtensionName === $fileExtension; + } + ); + + if (empty($filtered_types) === true) { + $validFileExtension = false; + } + } + + if ($validFileExtension === true && (empty($filterFilesType) === true || in_array($mimeContentType, $filterFilesType) === true)) { $result = copy($_FILES['file']['tmp_name'], $nombre_archivo); } else { $error_message = 'The uploaded file is not allowed. Only gif, png or jpg files can be uploaded.'; From a69f3eb0dcc1160ed3a55622d1aeeaf527fddf18 Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Wed, 1 Feb 2023 10:24:35 +0100 Subject: [PATCH 2/2] minor change --- pandora_console/godmode/setup/file_manager.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/pandora_console/godmode/setup/file_manager.php b/pandora_console/godmode/setup/file_manager.php index 272eab74f0..f54cf7f7f6 100644 --- a/pandora_console/godmode/setup/file_manager.php +++ b/pandora_console/godmode/setup/file_manager.php @@ -87,8 +87,6 @@ $create_text_file = (bool) get_parameter('create_text_file'); $default_real_directory = realpath($config['homedir'].'/'); -$_FILES['file']['name'] = '../test3.jpeg'; - // Remove double dot in filename path. $file_name = $_FILES['file']['name']; $path_parts = explode('/', $file_name);