Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-17 15:01:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix We never add .noexe of files into medias dir

Browse Source
This commit is contained in:
Laurent Destailleur
2020-06-12 14:35:50 +02:00
parent a0b6d9c4e0
commit 5d5fb46af6
4 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/core/actions_linkedfiles.inc.php
View File

@@ -197,8 +197,14 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha'))
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
if (isAFileWithExecutableContent($filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) if (isAFileWithExecutableContent($filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{ {
// $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too.
$publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity];
if (! preg_match('/\/$/', $publicmediasdirwithslash)) $publicmediasdirwithslash.='/';
if ($upload_dir != $publicmediasdirwithslash) { // We never add .noexe on files into media directory
$filenameto .= '.noexe'; $filenameto .= '.noexe';
} }
}
if ($filenamefrom && $filenameto) if ($filenamefrom && $filenameto)
{ {

11
htdocs/core/lib/files.lib.php
View File

@@ -1008,10 +1008,11 @@ function dolCheckVirus($src_file)
* @param integer $uploaderrorcode Value of PHP upload error code ($_FILES['field']['error']) * @param integer $uploaderrorcode Value of PHP upload error code ($_FILES['field']['error'])
* @param int $nohook Disable all hooks * @param int $nohook Disable all hooks
* @param string $varfiles _FILES var name * @param string $varfiles _FILES var name
* @param string $upload_dir For information. Already included into $dest_file.
* @return int|string 1 if OK, 2 if OK and .noexe appended, <0 or string if KO * @return int|string 1 if OK, 2 if OK and .noexe appended, <0 or string if KO
* @see dol_move() * @see dol_move()
*/ */
function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disablevirusscan = 0, $uploaderrorcode = 0, $nohook = 0, $varfiles = 'addedfile') function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disablevirusscan = 0, $uploaderrorcode = 0, $nohook = 0, $varfiles = 'addedfile', $upload_dir = '')
{ {
global $conf, $db, $user, $langs; global $conf, $db, $user, $langs;
global $object, $hookmanager; global $object, $hookmanager;
@@ -1068,9 +1069,15 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code. // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED)) if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{ {
// $upload_dir ends with a slash, so be must be sure the medias dir to compare to ends with slash too.
$publicmediasdirwithslash = $conf->medias->multidir_output[$conf->entity];
if (! preg_match('/\/$/', $publicmediasdirwithslash)) $publicmediasdirwithslash.='/';
if ($upload_dir != $publicmediasdirwithslash) { // We never add .noexe on files into media directory
$file_name .= '.noexe'; $file_name .= '.noexe';
$successcode = 2; $successcode = 2;
} }
}
// Security: // Security:
// We refuse cache files/dirs, upload using .. and pipes into filenames. // We refuse cache files/dirs, upload using .. and pipes into filenames.
@@ -1580,7 +1587,7 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
$destfull = dol_string_nohtmltag($destfull); $destfull = dol_string_nohtmltag($destfull);
// Move file from temp directory to final directory. A .noexe may also be appended on file name. // Move file from temp directory to final directory. A .noexe may also be appended on file name.
$resupload = dol_move_uploaded_file($TFile['tmp_name'][$i], $destfull, $allowoverwrite, 0, $TFile['error'][$i], 0, $varfiles); $resupload = dol_move_uploaded_file($TFile['tmp_name'][$i], $destfull, $allowoverwrite, 0, $TFile['error'][$i], 0, $varfiles, $upload_dir);
if (is_numeric($resupload) && $resupload > 0) // $resupload can be 'ErrorFileAlreadyExists' if (is_numeric($resupload) && $resupload > 0) // $resupload can be 'ErrorFileAlreadyExists'
{ {

2
htdocs/ecm/class/ecmfiles.class.php
View File

@@ -67,7 +67,7 @@ class EcmFiles extends CommonObject
*/ */
public $entity; public $entity;
public $filename; public $filename; // Note: Into ecm database record, the entry $filename never ends with .noexe
public $filepath; public $filepath;
public $fullpath_orig; public $fullpath_orig;

2
htdocs/website/index.php
View File

@@ -208,7 +208,7 @@ $permtouploadfile = $user->rights->website->write;
$diroutput = $conf->medias->multidir_output[$conf->entity]; $diroutput = $conf->medias->multidir_output[$conf->entity];
$relativepath = $section_dir; $relativepath = $section_dir;
$upload_dir = $diroutput.'/'.$relativepath; $upload_dir = preg_replace('/\/$/', '', $diroutput).'/'.preg_replace('/^\//', '', $relativepath);
$htmlheadercontentdefault = ''; $htmlheadercontentdefault = '';
$htmlheadercontentdefault .= '<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700" />'."\n"; $htmlheadercontentdefault .= '<link rel="stylesheet" id="google-fonts-css" href="//fonts.googleapis.com/css?family=Open+Sans:300,400,700" />'."\n";