tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 00:04:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

Secured get_file script for unauthorized file download

Browse Source
This commit is contained in:
Jose Gonzalez 2020-01-07 17:31:14 +01:00
parent e66b8ca4e3
commit f6163f4f80
3 changed files with 38 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pandora_console/extensions/files_repo/files_repo_list.php
View File

@ -64,9 +64,11 @@ if (!empty($files)) {
$document_root = str_replace('\\', '/', io_safe_output($_SERVER['DOCUMENT_ROOT'])); $document_root = str_replace('\\', '/', io_safe_output($_SERVER['DOCUMENT_ROOT']));
$file['location'] = str_replace('\\', '/', io_safe_output($file['location'])); $file['location'] = str_replace('\\', '/', io_safe_output($file['location']));
$relative_path = str_replace($document_root, '', $file['location']); $relative_path = str_replace($document_root, '', $file['location']);
$file_path = base64_encode($relative_path); $file_name = explode('/', $file['location']);
$hash = md5($relative_path.$config['dbpass']); $file_decoded = $file_name[(count($file_name) - 1)];
$url = ui_get_full_url("include/get_file.php?file=$file_path&hash=$hash"); $file_path = base64_encode($file_decoded);
$hash = md5($file_path.$config['dbpass']);
$url = ui_get_full_url('include/get_file.php?file='.urlencode($file_path).'&hash='.$hash);
$date_format = ($config['date_format']) ? io_safe_output($config['date_format']) : 'F j, Y - H:m'; $date_format = ($config['date_format']) ? io_safe_output($config['date_format']) : 'F j, Y - H:m';
$data[0] = "<a href=\"$url\" target=\"_blank\">".$file['name'].'</a>'; $data[0] = "<a href=\"$url\" target=\"_blank\">".$file['name'].'</a>';

10
pandora_console/include/functions_filemanager.php
View File

@ -694,8 +694,9 @@ function filemanager_file_explorer(
$data[1] = '<a href="'.$url_file_clean.'">'.$fileinfo['name'].'</a>'; $data[1] = '<a href="'.$url_file_clean.'">'.$fileinfo['name'].'</a>';
} else { } else {
$hash = md5($relative_path.$config['dbpass']); $filename = base64_encode($relative_directory.'/'.$fileinfo['name']);
$data[1] = '<a href="'.$hack_metaconsole.'include/get_file.php?file='.urlencode(base64_encode($relative_path)).'&hash='.$hash.'">'.$fileinfo['name'].'</a>'; $hash = md5($filename.$config['dbpass']);
$data[1] = '<a href="'.$hack_metaconsole.'include/get_file.php?file='.urlencode($filename).'&hash='.$hash.'">'.$fileinfo['name'].'</a>';
} }
// Notice that uploaded php files could be dangerous // Notice that uploaded php files could be dangerous
@ -755,8 +756,9 @@ function filemanager_file_explorer(
} }
if ((!$fileinfo['is_dir']) && ($download_button)) { if ((!$fileinfo['is_dir']) && ($download_button)) {
$hash = md5($fileinfo['realpath'].$config['dbpass']); $filename = base64_encode($fileinfo['name']);
$data[4] .= '<a href="include/get_file.php?file='.urlencode(base64_encode($fileinfo['realpath'])).'&hash='.$hash.'" style="vertical-align: 25%;">'; $hash = md5($filename.$config['dbpass']);
$data[4] .= '<a href="include/get_file.php?file='.urlencode($filename).'&hash='.$hash.'" style="vertical-align: 25%;">';
$data[4] .= html_print_image('images/file.png', true); $data[4] .= html_print_image('images/file.png', true);
$data[4] .= '</a>'; $data[4] .= '</a>';
} }

41
pandora_console/include/get_file.php
View File

@ -29,29 +29,42 @@ if ($auth_method != 'ad' && $auth_method != 'ldap') {
$styleError = 'background:url("../images/err.png") no-repeat scroll 0 0 transparent; padding:4px 1px 6px 30px; color:#CC0000;'; $styleError = 'background:url("../images/err.png") no-repeat scroll 0 0 transparent; padding:4px 1px 6px 30px; color:#CC0000;';
$file = get_parameter('file', null); $file_raw = get_parameter('file', null);
$file = base64_decode($file); $file = base64_decode(urldecode($file_raw));
$hash = get_parameter('hash', null); $hash = get_parameter('hash', null);
$testHash = md5($file.$config['dbpass']); if ($file === '' || $hash === '' || $hash !== md5($file_raw.$config['dbpass']) || !isset($_SERVER['HTTP_REFERER'])) {
if ($hash != $testHash) {
echo "<h3 style='".$styleError."'>".__('Security error. Please contact the administrator.').'</h3>'; echo "<h3 style='".$styleError."'>".__('Security error. Please contact the administrator.').'</h3>';
} else if (!empty($file) && !empty($hash)) { } else {
// echo $file; $downloadable_file = '';
if (!file_exists($file)) { $parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY));
$file = $_SERVER['DOCUMENT_ROOT'].$file; $parse_sec2_query = explode('=', $parse_all_queries[1]);
if ($parse_sec2_query[0] === 'sec2') {
switch ($parse_sec2_query[1]) {
case 'godmode/setup/file_manager':
$downloadable_file = $_SERVER['DOCUMENT_ROOT'].'/pandora_console/'.$file;
break;
case 'extensions/files_repo':
$downloadable_file = $_SERVER['DOCUMENT_ROOT'].'/pandora_console/attachment/files_repo/'.$file;
break;
default:
$downloadable_file = '';
// Do nothing
break;
}
} }
if (!file_exists($file)) { if ($downloadable_file === '' || !file_exists($downloadable_file)) {
echo "<h3 style='".$styleError."'>".__('File is missing in disk storage. Please contact the administrator.').'</h3>'; echo "<h3 style='".$styleError."'>".__('File is missing in disk storage. Please contact the administrator.').'</h3>';
} else { } else {
header('Content-type: aplication/octet-stream;'); header('Content-type: aplication/octet-stream;');
header('Content-type: '.mime_content_type($file).';'); header('Content-type: '.mime_content_type($downloadable_file).';');
header('Content-Length: '.filesize($file)); header('Content-Length: '.filesize($downloadable_file));
header('Content-Disposition: attachment; filename="'.basename($file).'"'); header('Content-Disposition: attachment; filename="'.basename($downloadable_file).'"');
readfile($file); readfile($downloadable_file);
} }
} }