Project

General

Profile

« Previous | Next » 

Revision 1460

Added by Dietmar over 13 years ago

Ticket 1101, phtml|php5|php4|php|cgi|pl|exe|com|bat|src| will be hardcoded
additional you can set more extension in settings extended in field rename_file_types
rename_file_types now is a blacklist and will no longer be renamed to .txt

update admintools modules to work with SecureForm Patch from NorHei

View differences:

upload.php
66 66
	$file_extension_string=$fetch_result['value'];
67 67
}
68 68
$file_extensions=explode(",",$file_extension_string);
69

  
69
// get from settings and add to forbidden list
70
$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
71
// hardcodet forbidden filetypes
72
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
70 73
// Loop through the files
71 74
$good_uploads = 0;
72 75
for($count = 1; $count <= 10; $count++) {
73 76
	// If file was upload to tmp
74 77
	if(isset($_FILES["file$count"]['name'])) {
75 78
		// Remove bad characters
76
		$filename = media_filename($_FILES["file$count"]['name']);
79
		$filename = trim(media_filename($_FILES["file$count"]['name']),'.') ;
77 80
		// Check if there is still a filename left
78
		if($filename != '') {
79
			// Check for potentially malicious files and append 'txt' to their name
81
		// if($filename != '') {
82
		$info = pathinfo($filename);
83
		$ext = isset($info['extension']) ? $info['extension'] : '';
84

  
85
		if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) ) {
86
/*
87
		// Check for potentially malicious files and append 'txt' to their name
80 88
			foreach($file_extensions as $file_ext) {
81 89
				$file_ext_len=strlen($file_ext);
82 90
				if (substr($filename,-$file_ext_len)==$file_ext) {
83 91
					$filename.='.txt';
84 92
				}
85
			}		
93
			}
94
*/
86 95
			// Move to relative path (in media folder)
87
			if(file_exists($relative.$filename) AND $overwrite == true) {			
96
			if(file_exists($relative.$filename) AND $overwrite == true) {
88 97
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
89 98
					$good_uploads++;
90 99
					// Chmod the uploaded file
91
					change_mode($relative.$filename, 'file');
100
					change_mode($relative.$filename);
92 101
				}
93 102
			} elseif(!file_exists($relative.$filename)) {
94 103
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
......
97 106
					change_mode($relative.$filename);
98 107
				}
99 108
			}
100
			
109

  
101 110
			if(file_exists($relative.$filename)) {
102 111
				if ($pathsettings[$resizepath]['width'] || $pathsettings[$resizepath]['height'] ) {
103 112
					$rimg=new RESIZEIMAGE($relative.$filename);
......
105 114
					$rimg->close();
106 115
				}
107 116
			}
108
				
117

  
109 118
			// store file name of first file for possible unzip action
110 119
			if ($count == 1) {
111 120
				$filename1 = $relative . $filename;
......
113 122
		}
114 123
	}
115 124
}
125
/*
126
 * Callback function to skip files in black-list
127
 */
128
function pclzipCheckValidFile($p_event, &$p_header)
129
{
130
                         //  return 1;
131
	$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
132
	// hardcodet forbidden filetypes
133
	$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
134
	$info = pathinfo($p_header['filename']);
135
                         $ext = isset($info['extension']) ? $info['extension'] : '';
136
                         $dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');
137
	if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) && $dots != '.' )
138
	{	// ----- allowed file types are extracted
139
	  return 1;
140
	}else
141
	{	// ----- all other files are skiped
142
	  return 0;
143
	}
144
}
145
/* ********************************* */
116 146

  
117 147
// If the user chose to unzip the first file, unzip into the current folder
118 148
if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) {
119 149
	$archive = new PclZip($filename1);
120
	$list = $archive->extract(PCLZIP_OPT_PATH, $relative);
150

  
151
	$list = $archive->extract(PCLZIP_OPT_PATH, $relative,PCLZIP_CB_PRE_EXTRACT, 'pclzipCheckValidFile');
152

  
121 153
	if($list == 0) {
122 154
		// error while trying to extract the archive (most likely wrong format)
123 155
		$admin->print_error('UNABLE TO UNZIP FILE' . $archive -> errorInfo(true));
124 156
	}
125
	
157

  
158
	$sum_dirs = 0;
159
	$sum_files = 0;
160

  
126 161
	// rename executable files!
127
	foreach ($list as $val) {
128
		$fn = $val['filename'];
129
		$fnp = pathinfo($fn);
130
		if (isset($fnp['extension'])) {
131
			$fext = $fnp['extension'];
132
			if (in_array($fext, $file_extensions)) {
133
				rename($fn, $fn.".txt");
134
			}
162
	foreach ($list as $key => $val) {
163
	    if( ($val['folder'] ) && change_mode($val['filename']) ) {
164
		   $sum_dirs++;
165
		} elseif( is_writable($val['filename']) && ($val['status'] == 'ok') && change_mode($val['filename']) )  {
166
			$sum_files++;
135 167
		}
136 168
	}
169
	if (isset($_POST['delzip'])) { unlink($filename1); }
137 170
}
138

  
171
unset($list);
139 172
if($good_uploads == 1) {
140
	$admin->print_success($good_uploads.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] );
141
	if (isset($_POST['delzip'])) {
142
		unlink($filename1);
143
	}
173
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] );
144 174
} else {
145 175
	$admin->print_success($good_uploads.' '.$MESSAGE['MEDIA']['UPLOADED'] );
146 176
}

Also available in: Unified diff