Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX vulenrability reported by wizlynx WLX-2020-012

Browse Source
This commit is contained in:
Laurent Destailleur
2020-06-17 14:45:15 +02:00
parent 23df5596e8
commit 6d6abd4320
4 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/core/actions_linkedfiles.inc.php
View File

@@ -209,8 +209,10 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha'))
if (empty($reshook)) if (empty($reshook))
{ {
if (! file_exists($destpath)) if (preg_match('/^\./', $filenameto)) {
{ $langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
setEventMessages($langs->trans("ErrorFilenameCantStartWithDot", $filenameto), null, 'errors');
} elseif (! file_exists($destpath)) {
$result = dol_move($srcpath, $destpath); $result = dol_move($srcpath, $destpath);
if ($result) if ($result)
{ {

14
htdocs/core/lib/files.lib.php
View File

@@ -324,11 +324,13 @@ function completeFileArrayWithDatabaseInfo(&$filearray, $relativedir)
// Complete filearray with properties found into $filearrayindatabase // Complete filearray with properties found into $filearrayindatabase
foreach ($filearray as $key => $val) foreach ($filearray as $key => $val)
{ {
$tmpfilename = preg_replace('/\.noexe$/', '', $filearray[$key]['name']);
$found = 0; $found = 0;
// Search if it exists into $filearrayindatabase // Search if it exists into $filearrayindatabase
foreach ($filearrayindatabase as $key2 => $val2) foreach ($filearrayindatabase as $key2 => $val2)
{ {
if ($filearrayindatabase[$key2]['name'] == $filearray[$key]['name']) if ($filearrayindatabase[$key2]['name'] == $tmpfilename)
{ {
$filearray[$key]['position_name'] = ($filearrayindatabase[$key2]['position'] ? $filearrayindatabase[$key2]['position'] : '0').'_'.$filearrayindatabase[$key2]['name']; $filearray[$key]['position_name'] = ($filearrayindatabase[$key2]['position'] ? $filearrayindatabase[$key2]['position'] : '0').'_'.$filearrayindatabase[$key2]['name'];
$filearray[$key]['position'] = $filearrayindatabase[$key2]['position']; $filearray[$key]['position'] = $filearrayindatabase[$key2]['position'];
@@ -349,7 +351,7 @@ function completeFileArrayWithDatabaseInfo(&$filearray, $relativedir)
$filearray[$key]['acl'] = ''; $filearray[$key]['acl'] = '';
$rel_filename = preg_replace('/^'.preg_quote(DOL_DATA_ROOT, '/').'/', '', $filearray[$key]['fullname']); $rel_filename = preg_replace('/^'.preg_quote(DOL_DATA_ROOT, '/').'/', '', $filearray[$key]['fullname']);
if (!preg_match('/([\\/]temp[\\/]|[\\/]thumbs|\.meta$)/', $rel_filetorenameafter)) // If not a tmp file if (!preg_match('/([\\/]temp[\\/]|[\\/]thumbs|\.meta$)/', $rel_filename)) // If not a tmp file
{ {
dol_syslog("list_of_documents We found a file called '".$filearray[$key]['name']."' not indexed into database. We add it"); dol_syslog("list_of_documents We found a file called '".$filearray[$key]['name']."' not indexed into database. We add it");
include_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmfiles.class.php'; include_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmfiles.class.php';
@@ -1529,6 +1531,7 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
if (!empty($_FILES[$varfiles])) // For view $_FILES[$varfiles]['error'] if (!empty($_FILES[$varfiles])) // For view $_FILES[$varfiles]['error']
{ {
dol_syslog('dol_add_file_process upload_dir='.$upload_dir.' allowoverwrite='.$allowoverwrite.' donotupdatesession='.$donotupdatesession.' savingdocmask='.$savingdocmask, LOG_DEBUG); dol_syslog('dol_add_file_process upload_dir='.$upload_dir.' allowoverwrite='.$allowoverwrite.' donotupdatesession='.$donotupdatesession.' savingdocmask='.$savingdocmask, LOG_DEBUG);
if (dol_mkdir($upload_dir) >= 0) if (dol_mkdir($upload_dir) >= 0)
{ {
$TFile = $_FILES[$varfiles]; $TFile = $_FILES[$varfiles];
@@ -1554,6 +1557,13 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
$destfile=preg_replace('/__file__/', $TFile['name'][$i], $savingdocmask); $destfile=preg_replace('/__file__/', $TFile['name'][$i], $savingdocmask);
} }
$filenameto = basename($destfile);
if (preg_match('/^\./', $filenameto)) {
$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
setEventMessages($langs->trans("ErrorFilenameCantStartWithDot", $filenameto), null, 'errors');
break;
}
// dol_sanitizeFileName the file name and lowercase extension // dol_sanitizeFileName the file name and lowercase extension
$info = pathinfo($destfull); $info = pathinfo($destfull);
$destfull = $info['dirname'].'/'.dol_sanitizeFileName($info['filename'].($info['extension']!='' ? ('.'.strtolower($info['extension'])) : '')); $destfull = $info['dirname'].'/'.dol_sanitizeFileName($info['filename'].($info['extension']!='' ? ('.'.strtolower($info['extension'])) : ''));

4
htdocs/core/lib/functions.lib.php
View File

@@ -8571,9 +8571,7 @@ function isAFileWithExecutableContent($filename)
{ {
return true; return true;
} }
if (preg_match('/^\./', $filename)) { // We consider file starting with a . as dangerous as executable files. For example .htaccess, .xxx
return true;
}
return false; return false;
} }

1
htdocs/langs/en_US/errors.lang
View File

@@ -182,6 +182,7 @@ ErrorBadDefinitionOfMenuArrayInModuleDescriptor=Bad Definition Of Menu Array In
ErrorSavingChanges=An error has occurred when saving the changes ErrorSavingChanges=An error has occurred when saving the changes
ErrorWarehouseRequiredIntoShipmentLine=Warehouse is required on the line to ship ErrorWarehouseRequiredIntoShipmentLine=Warehouse is required on the line to ship
ErrorFileMustHaveFormat=File must have format %s ErrorFileMustHaveFormat=File must have format %s
ErrorFilenameCantStartWithDot=Filename can't start with a '.'
ErrorSupplierCountryIsNotDefined=Country for this vendor is not defined. Correct this first. ErrorSupplierCountryIsNotDefined=Country for this vendor is not defined. Correct this first.
ErrorsThirdpartyMerge=Failed to merge the two records. Request canceled. ErrorsThirdpartyMerge=Failed to merge the two records. Request canceled.
ErrorStockIsNotEnoughToAddProductOnOrder=Stock is not enough for product %s to add it into a new order. ErrorStockIsNotEnoughToAddProductOnOrder=Stock is not enough for product %s to add it into a new order.