Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX Add same security test whe nuploading files from API than from GUI (#31114)

Browse Source 
Co-authored-by: Laurent Destailleur <eldy@destailleur.fr>
This commit is contained in:
thomas-Ngr
2024-09-26 03:13:34 +02:00
committed by GitHub
parent 9f5ef68123
commit bb40a43c5f
2 changed files with 45 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
htdocs/api/class/api_documents.class.php
View File

@@ -693,7 +693,50 @@ class Documents extends DolibarrApi
throw new RestException(500, "Failed to open file '".$destfiletmp."' for write");
}
$result = dol_move($destfiletmp, $destfile, 0, $overwriteifexists, 1);
$disablevirusscan = 0;
$src_file = $destfiletmp;
$dest_file = $destfile;
// Security:
// If we need to make a virus scan
if (empty($disablevirusscan) && file_exists($src_file)) {
$checkvirusarray = dolCheckVirus($src_file);
if (count($checkvirusarray)) {
dol_syslog('Files.lib::dol_move_uploaded_file File "'.$src_file.'" (target name "'.$dest_file.'") KO with antivirus: errors='.join(',', $checkvirusarray), LOG_WARNING);
throw new RestException(500, 'ErrorFileIsInfectedWithAVirus: '.join(',', $checkvirusarray));
}
}
// Security:
// Disallow file with some extensions. We rename them.
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) {
// $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too.
$publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity];
if (!preg_match('/\/$/', $publicmediasdirwithslash)) {
$publicmediasdirwithslash .= '/';
}
if (strpos($upload_dir, $publicmediasdirwithslash) !== 0 || !getDolGlobalInt("MAIN_DOCUMENT_DISABLE_NOEXE_IN_MEDIAS_DIR")) { // We never add .noexe on files into media directory
$dest_file .= '.noexe';
}
}
// Security:
// We refuse cache files/dirs, upload using .. and pipes into filenames.
if (preg_match('/^\./', basename($src_file)) || preg_match('/\.\./', $src_file) || preg_match('/[<>|]/', $src_file)) {
dol_syslog("Refused to deliver file ".$src_file, LOG_WARNING);
throw new RestException(500, "Refused to deliver file ".$src_file);
}
// Security:
// We refuse cache files/dirs, upload using .. and pipes into filenames.
if (preg_match('/^\./', basename($dest_file)) || preg_match('/\.\./', $dest_file) || preg_match('/[<>|]/', $dest_file)) {
dol_syslog("Refused to deliver file ".$dest_file, LOG_WARNING);
throw new RestException(500, "Refused to deliver file ".$dest_file);
}
$result = dol_move($destfiletmp, $dest_file, 0, $overwriteifexists, 1, 1);
if (!$result) {
throw new RestException(500, "Failed to move file into '".$destfile."'");
}