Merge branch '5249-Fallo-seguridad-gestor-uploads' into 'develop'
Secured get_file script for unauthorized file download See merge request artica/pandorafms!2999
This commit is contained in:
Daniel Rodriguez
commit
ffce6399b0
|
|
@ -64,9 +64,11 @@ if (!empty($files)) {
|
|||
$document_root = str_replace('\\', '/', io_safe_output($_SERVER['DOCUMENT_ROOT']));
|
||||
$file['location'] = str_replace('\\', '/', io_safe_output($file['location']));
|
||||
$relative_path = str_replace($document_root, '', $file['location']);
|
||||
$file_path = base64_encode($relative_path);
|
||||
$hash = md5($relative_path.$config['dbpass']);
|
||||
$url = ui_get_full_url("include/get_file.php?file=$file_path&hash=$hash");
|
||||
$file_name = explode('/', $file['location']);
|
||||
$file_decoded = $file_name[(count($file_name) - 1)];
|
||||
$file_path = base64_encode($file_decoded);
|
||||
$hash = md5($file_path.$config['dbpass']);
|
||||
$url = ui_get_full_url('include/get_file.php?file='.urlencode($file_path).'&hash='.$hash);
|
||||
$date_format = ($config['date_format']) ? io_safe_output($config['date_format']) : 'F j, Y - H:m';
|
||||
|
||||
$data[0] = "<a href=\"$url\" target=\"_blank\">".$file['name'].'</a>';
|
||||
|
|
|
|||
|
|
@ -690,8 +690,9 @@ function filemanager_file_explorer(
|
|||
|
||||
$data[1] = '<a href="'.$url_file_clean.'">'.$fileinfo['name'].'</a>';
|
||||
} else {
|
||||
$hash = md5($relative_path.$config['dbpass']);
|
||||
$data[1] = '<a href="'.$hack_metaconsole.'include/get_file.php?file='.urlencode(base64_encode($relative_path)).'&hash='.$hash.'">'.$fileinfo['name'].'</a>';
|
||||
$filename = base64_encode($relative_directory.'/'.$fileinfo['name']);
|
||||
$hash = md5($filename.$config['dbpass']);
|
||||
$data[1] = '<a href="'.$hack_metaconsole.'include/get_file.php?file='.urlencode($filename).'&hash='.$hash.'">'.$fileinfo['name'].'</a>';
|
||||
}
|
||||
|
||||
// Notice that uploaded php files could be dangerous
|
||||
|
|
@ -751,8 +752,9 @@ function filemanager_file_explorer(
|
|||
}
|
||||
|
||||
if ((!$fileinfo['is_dir']) && ($download_button)) {
|
||||
$hash = md5($fileinfo['realpath'].$config['dbpass']);
|
||||
$data[4] .= '<a href="include/get_file.php?file='.urlencode(base64_encode($fileinfo['realpath'])).'&hash='.$hash.'" style="vertical-align: 25%;">';
|
||||
$filename = base64_encode($fileinfo['name']);
|
||||
$hash = md5($filename.$config['dbpass']);
|
||||
$data[4] .= '<a href="include/get_file.php?file='.urlencode($filename).'&hash='.$hash.'" style="vertical-align: 25%;">';
|
||||
$data[4] .= html_print_image('images/file.png', true);
|
||||
$data[4] .= '</a>';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,29 +29,42 @@ if ($auth_method != 'ad' && $auth_method != 'ldap') {
|
|||
|
||||
$styleError = 'background:url("../images/err.png") no-repeat scroll 0 0 transparent; padding:4px 1px 6px 30px; color:#CC0000;';
|
||||
|
||||
$file = get_parameter('file', null);
|
||||
$file_raw = get_parameter('file', null);
|
||||
|
||||
$file = base64_decode($file);
|
||||
$file = base64_decode(urldecode($file_raw));
|
||||
|
||||
$hash = get_parameter('hash', null);
|
||||
|
||||
$testHash = md5($file.$config['dbpass']);
|
||||
|
||||
if ($hash != $testHash) {
|
||||
if ($file === '' || $hash === '' || $hash !== md5($file_raw.$config['dbpass']) || !isset($_SERVER['HTTP_REFERER'])) {
|
||||
echo "<h3 style='".$styleError."'>".__('Security error. Please contact the administrator.').'</h3>';
|
||||
} else if (!empty($file) && !empty($hash)) {
|
||||
// echo $file;
|
||||
if (!file_exists($file)) {
|
||||
$file = $_SERVER['DOCUMENT_ROOT'].$file;
|
||||
} else {
|
||||
$downloadable_file = '';
|
||||
$parse_all_queries = explode('&', parse_url($_SERVER['HTTP_REFERER'], PHP_URL_QUERY));
|
||||
$parse_sec2_query = explode('=', $parse_all_queries[1]);
|
||||
if ($parse_sec2_query[0] === 'sec2') {
|
||||
switch ($parse_sec2_query[1]) {
|
||||
case 'godmode/setup/file_manager':
|
||||
$downloadable_file = $_SERVER['DOCUMENT_ROOT'].'/pandora_console/'.$file;
|
||||
break;
|
||||
|
||||
case 'extensions/files_repo':
|
||||
$downloadable_file = $_SERVER['DOCUMENT_ROOT'].'/pandora_console/attachment/files_repo/'.$file;
|
||||
break;
|
||||
|
||||
default:
|
||||
$downloadable_file = '';
|
||||
// Do nothing
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!file_exists($file)) {
|
||||
if ($downloadable_file === '' || !file_exists($downloadable_file)) {
|
||||
echo "<h3 style='".$styleError."'>".__('File is missing in disk storage. Please contact the administrator.').'</h3>';
|
||||
} else {
|
||||
header('Content-type: aplication/octet-stream;');
|
||||
header('Content-type: '.mime_content_type($file).';');
|
||||
header('Content-Length: '.filesize($file));
|
||||
header('Content-Disposition: attachment; filename="'.basename($file).'"');
|
||||
readfile($file);
|
||||
header('Content-type: '.mime_content_type($downloadable_file).';');
|
||||
header('Content-Length: '.filesize($downloadable_file));
|
||||
header('Content-Disposition: attachment; filename="'.basename($downloadable_file).'"');
|
||||
readfile($downloadable_file);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue