Merge branch 'ent-10163-Remote-Code-Execution-via-Unrestricted-File-Upload' into 'develop'

fixed vulnerability See merge request artica/pandorafms!5476
2023-02-02 10:02:15 +00:00 · 2023-02-02 10:02:15 +00:00 · ccb93c0918
parent 9a7c9488eb a69f3eb0dc
commit ccb93c0918
2 changed files with 32 additions and 1 deletions
--- a/pandora_console/godmode/setup/file_manager.php
+++ b/pandora_console/godmode/setup/file_manager.php
@ -87,6 +87,20 @@ $create_text_file = (bool) get_parameter('create_text_file');

 $default_real_directory = realpath($config['homedir'].'/');

+// Remove double dot in filename path.
+$file_name = $_FILES['file']['name'];
+$path_parts = explode('/', $file_name);
+
+$stripped_parts = array_filter(
+    $path_parts,
+    function ($value) {
+        return $value !== '..';
+    }
+);
+
+$stripped_path = implode('/', $stripped_parts);
+$_FILES['file']['name'] = $stripped_path;
+
 if ($upload_file === true) {
    upload_file(
        $upload_file,
--- a/pandora_console/include/functions_filemanager.php
+++ b/pandora_console/include/functions_filemanager.php
@ -139,8 +139,25 @@ function upload_file($upload_file_or_zip, $default_real_directory, $destination_
                $nombre_archivo = sprintf('%s/%s', $real_directory, $filename);
                try {
                    $mimeContentType = mime_content_type($_FILES['file']['tmp_name']);
+                    $fileExtension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);

-                    if (empty($filterFilesType) === true || in_array($mimeContentType, $filterFilesType) === true) {
+                    $validFileExtension = true;
+
+                    if (empty($fileExtension) === false) {
+                        $filtered_types = array_filter(
+                            $filterFilesType,
+                            function ($value) use ($fileExtension) {
+                                $mimeTypeExtensionName = explode('/', $value)[1];
+                                return $mimeTypeExtensionName === $fileExtension;
+                            }
+                        );
+
+                        if (empty($filtered_types) === true) {
+                            $validFileExtension = false;
+                        }
+                    }
+
+                    if ($validFileExtension === true && (empty($filterFilesType) === true || in_array($mimeContentType, $filterFilesType) === true)) {
                        $result = copy($_FILES['file']['tmp_name'], $nombre_archivo);
                    } else {
                        $error_message = 'The uploaded file is not allowed. Only gif, png or jpg files can be uploaded.';