Project

General

Profile

« Previous | Next » 

Revision 1476

Added by Dietmar over 13 years ago

! optimize blacklist handling, add more separator ",#|;"
set of a wildcard ".*?" e.g. ph.*? proof ext like php, php3, php4 etc.
  1. fix sctrict warnings in media if default theme ist not Argos Theme
    + add new settings value in install, upgrade-script and core module

View differences:

branches/2.8.x/CHANGELOG
11 11
! = Update/Change
12 12

  
13 13
------------------------------------- 2.8.2 ------------------------------------
14
13 Jul-2011 Build 1476 Dietmar Woellbrink (Luisehahne)
15
! optimize blacklist handling, add more separator ",#|;"
16
  set of a wildcard ".*?" e.g. ph.*? proof ext like php, php3, php4 etc.
17
# fix sctrict warnings in media if default theme ist not Argos Theme
18
+ add new settings value in install, upgrade-script and core module
14 19
13 Jul-2011 Build 1475 Dietmar Woellbrink (Luisehahne)
15
+ add SecureForm.mtab.php under mantennance by WebsiteBaker Community
20
+ add SecureForm.mtab.php under maintenance by WebsiteBaker Community
16 21
! security fixes media, groups, users, sections
17 22
# change lang variable to remove upgrade-script
18 23
! reworked add sections in pages
branches/2.8.x/wb/upgrade-script.php
351 351
 */
352 352
echo "<br />Adding mediasettings to settings table<br />";
353 353
$cfg = array(
354
	'mediasettings' => ''
354
	'mediasettings' => '',
355
	'rename_files_on_upload' => 'ph.*?,cgi,pl,pm,exe,com,bat,pif,cmd,src,asp,aspx'
355 356
);
356 357
foreach($cfg as $key=>$value) {
357 358
	db_add_key_value($key, $value);
......
362 363
 */
363 364
echo "<br />Adding fingerprint_with_ip_octets to settings table<br />";
364 365
$cfg = array(
365
	'fingerprint_with_ip_octets' => '3'
366
	'fingerprint_with_ip_octets' => '2',
367
	'secure_form_module' => ''
366 368
);
367 369
foreach($cfg as $key=>$value) {
368 370
	db_add_key_value($key, $value);
branches/2.8.x/wb/admin/media/rename2.php
2 2
/**
3 3
 *
4 4
 * @category        admin
5
 * @package         admintools
5
 * @package         media
6 6
 * @author          WebsiteBaker Project
7 7
 * @copyright       2004-2009, Ryan Djurovich
8 8
 * @copyright       2009-2011, Website Baker Org. e.V.
......
44 44
	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$dirlink, false);
45 45
}
46 46

  
47
// Check for potentially malicious files and append 'txt' to their name
48
$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
49
// hardcodet forbidden filetypes
50
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
47
// Check for potentially malicious files
48
$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
51 49
// Get home folder not to show
52 50
$home_folders = get_home_folders();
53 51

  
branches/2.8.x/wb/admin/media/setparameter.php
2 2
/**
3 3
 *
4 4
 * @category        admin
5
 * @package         admintools
5
 * @package         media
6 6
 * @author          WebsiteBaker Project
7 7
 * @copyright       2004-2009, Ryan Djurovich
8 8
 * @copyright       2009-2011, Website Baker Org. e.V.
......
39 39
		$admin->print_error('::'.$MESSAGE['GENERIC_SECURITY_ACCESS'],'browse.php',false);
40 40
	}
41 41
*/
42
	//Check for existing settings entry, if not existing, create a record first!
43
	if (!$database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" )) {
44
		$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" );
42

  
43
	if(DEFAULT_THEME != ' wb_theme') {
44
		//Check for existing settings entry, if not existing, create a record first!
45
		if (!$database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" )) {
46
			$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" );
47
		}
48
	} else {
49
		$pathsettings = array();
45 50
	}
51

  
46 52
	$dirs = directory_list(WB_PATH.MEDIA_DIRECTORY);
47 53
	$dirs[] = WB_PATH.MEDIA_DIRECTORY;
48 54
	foreach($dirs AS $name) {
branches/2.8.x/wb/admin/media/browse.php
156 156
	$usedFiles = $Dse->getMatchesFromDir( $currentdir, DseTwo::RETURN_USED);
157 157
}
158 158

  
159
$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
160
// hardcodet forbidden filetypes
161
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
159
// Check for potentially malicious files
160
$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
162 161

  
163 162
if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) {
164 163
	// Loop through the files and dirs an add to list
branches/2.8.x/wb/admin/media/parameters.php
2 2
/**
3 3
 *
4 4
 * @category        admin
5
 * @package         admintools
5
 * @package         media
6 6
 * @author          WebsiteBaker Project
7 7
 * @copyright       2004-2009, Ryan Djurovich
8 8
 * @copyright       2009-2011, Website Baker Org. e.V.
......
24 24
	return unserialize($__ret);
25 25
}
26 26
$pathsettings = array();
27
$query = $database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" );
28
if ($query && $query->numRows() > 0) {
29
	$settings = $query->fetchRow();
30
	$pathsettings = __unserialize($settings['value']);
31
} else {
32
	$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" );
27
if(DEFAULT_THEME != ' wb_theme') {
28
	$query = $database->query ( "SELECT * FROM ".TABLE_PREFIX."settings where `name`='mediasettings'" );
29
	if ($query && $query->numRows() > 0) {
30
		$settings = $query->fetchRow();
31
		$pathsettings = __unserialize($settings['value']);
32
	} else {
33
		$database->query ( "INSERT INTO ".TABLE_PREFIX."settings (`name`,`value`) VALUES ('mediasettings','')" );
34
	}
33 35
}
34 36

  
branches/2.8.x/wb/admin/media/rename.php
2 2
/**
3 3
 *
4 4
 * @category        admin
5
 * @package         admintools
5
 * @package         media
6 6
 * @author          WebsiteBaker Project
7 7
 * @copyright       2004-2009, Ryan Djurovich
8 8
 * @copyright       2009-2011, Website Baker Org. e.V.
......
45 45

  
46 46
// Get home folder not to show
47 47
$home_folders = get_home_folders();
48
// Check for potentially malicious files and append 'txt' to their name
49
$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
50
// hardcodet forbidden filetypes
51
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
48
// Check for potentially malicious files
49
$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
52 50

  
53 51
// Figure out what folder name the temp id is
54 52
if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) {
branches/2.8.x/wb/admin/media/upload.php
2 2
/**
3 3
 *
4 4
 * @category        admin
5
 * @package         admintools
5
 * @package         media
6 6
 * @author          WebsiteBaker Project
7 7
 * @copyright       2004-2009, Ryan Djurovich
8 8
 * @copyright       2009-2011, Website Baker Org. e.V.
......
41 41
// Include the WB functions file
42 42
require_once(WB_PATH.'/framework/functions.php');
43 43

  
44
$directory = ($target == '/') ?  '' : $target;
45
$dirlink = 'index.php?dir='.$directory;
46
$rootlink = 'index.php?dir=';
47

  
44 48
// Check to see if target contains ../
45 49
if (!check_media_path($target, false))
46 50
{
......
64 68

  
65 69
$file_extensions=explode(",",$file_extension_string);
66 70
// get from settings and add to forbidden list
67
$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
68
// hardcodet forbidden filetypes
69
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
71
$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
70 72
// Loop through the files
71 73
$good_uploads = 0;
72 74
$sum_dirs = 0;
73 75
$sum_files = 0;
74 76

  
75
for($count = 1; $count <= 10; $count++) {
77
for($count = 1; $count <= 10; $count++)
78
{
76 79
	// If file was upload to tmp
77
	if(isset($_FILES["file$count"]['name'])) {
80
	if(isset($_FILES["file$count"]['name']))
81
	{
78 82
		// Remove bad characters
79 83
		$filename = trim(media_filename($_FILES["file$count"]['name']),'.') ;
80 84
		// Check if there is still a filename left
......
82 86
		$info = pathinfo($filename);
83 87
		$ext = isset($info['extension']) ? $info['extension'] : '';
84 88

  
85
		if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) ) {
89
		if ( ($filename != '') && !preg_match("/\." . $forbidden_file_types . "$/i", $ext) )
90
		{
86 91
			// Move to relative path (in media folder)
87 92
			if(file_exists($relative.$filename) AND $overwrite == true) {
88 93
				if(move_uploaded_file($_FILES["file$count"]['tmp_name'], $relative.$filename)) {
......
120 125
 */
121 126
function pclzipCheckValidFile($p_event, &$p_header)
122 127
{
123
                         //  return 1;
124
	$rename_file_types  = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
125
	// hardcodet forbidden filetypes
126
	$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types;
128
    //  return 1;
129
// Check for potentially malicious files
130
	$forbidden_file_types  = preg_replace( '/\s*[,;\|#]\s*/','|',RENAME_FILES_ON_UPLOAD);
127 131
	$info = pathinfo($p_header['filename']);
128 132
	$ext = isset($info['extension']) ? $info['extension'] : '';
129 133
	$dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.');
......
139 143

  
140 144
// If the user chose to unzip the first file, unzip into the current folder
141 145
if (isset($_POST['unzip']) && isset($filename1) && file_exists($filename1) ) {
146
	// Required to unzip file.
147
	require_once(WB_PATH.'/include/pclzip/pclzip.lib.php');
142 148
	$archive = new PclZip($filename1);
143

  
144 149
	$list = $archive->extract(PCLZIP_OPT_PATH, $relative,PCLZIP_CB_PRE_EXTRACT, 'pclzipCheckValidFile');
145 150

  
146 151
	if($list == 0) {
......
161 166
unset($list);
162 167
if($sum_files == 1) {
163 168
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['SINGLE_UPLOADED'] );
169
} elseif($sum_files > 1) {
170
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] );
164 171
} else {
165
	$admin->print_success($sum_files.' '.$MESSAGE['MEDIA']['UPLOADED'] );
172
	$admin->print_error($MESSAGE['MEDIA_NO_FILE_UPLOADED'] );
166 173
}
167 174

  
168 175
// Print admin
branches/2.8.x/wb/admin/interface/version.php
52 52

  
53 53
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
54 54
if(!defined('VERSION')) define('VERSION', '2.8.2.RC7');
55
if(!defined('REVISION')) define('REVISION', '1475');
55
if(!defined('REVISION')) define('REVISION', '1476');
branches/2.8.x/wb/install/save.php
483 483
	." ('page_extension', '.php'),"
484 484
	." ('page_spacer', '-'),"
485 485
	." ('pages_directory', '/pages'),"
486
	." ('rename_files_on_upload', 'ph.*?,cgi,pl,pm,exe,com,bat,pif,cmd,src,asp,aspx'),"
486 487
	." ('media_directory', '/media'),"
487 488
	." ('operating_system', '$operating_system'),"
488 489
	." ('string_file_mode', '$file_mode'),"
......
495 496
	." ('wbmailer_smtp_username', ''),"
496 497
	." ('wbmailer_smtp_password', ''),"
497 498
	." ('fingerprint_with_ip_octets', '3'),"
499
	." ('secure_form_module', ''),"
498 500
	." ('mediasettings', '')";
499 501
	$database->query($settings_rows);
500 502
	
branches/2.8.x/wb/modules/jsadmin/install.php
34 34
");
35 35

  
36 36
global $database;
37
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('1','mod_jsadmin_persist_order','0')");
38
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('2','mod_jsadmin_ajax_order_pages','0')");
39
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('3','mod_jsadmin_ajax_order_sections','0')");
37
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('1','mod_jsadmin_persist_order','1')");
38
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('2','mod_jsadmin_ajax_order_pages','1')");
39
$database->query("INSERT INTO ".$table." (id,name,value) VALUES ('3','mod_jsadmin_ajax_order_sections','1')");
40 40

  
41 41
?>

Also available in: Unified diff