FIX vulenrability reported by wizlynx WLX-2020-012

2025-12-06 17:48:25 +01:00 · 2020-06-17 14:45:15 +02:00
parent 23df5596e8
commit 6d6abd4320
4 changed files with 18 additions and 7 deletions
--- a/htdocs/core/actions_linkedfiles.inc.php
+++ b/htdocs/core/actions_linkedfiles.inc.php
@@ -209,8 +209,10 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave', 'alpha'))

 	            if (empty($reshook))
 	            {
-	            	if (! file_exists($destpath))
-	            	{
+	            	if (preg_match('/^\./', $filenameto)) {
+	            		$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
+	            		setEventMessages($langs->trans("ErrorFilenameCantStartWithDot", $filenameto), null, 'errors');
+	            	} elseif (! file_exists($destpath)) {
 	            		$result = dol_move($srcpath, $destpath);
 			            if ($result)
 			            {
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -324,11 +324,13 @@ function completeFileArrayWithDatabaseInfo(&$filearray, $relativedir)
 	// Complete filearray with properties found into $filearrayindatabase
 	foreach ($filearray as $key => $val)
 	{
+		$tmpfilename = preg_replace('/\.noexe$/', '', $filearray[$key]['name']);
+
 		$found = 0;
 		// Search if it exists into $filearrayindatabase
 		foreach ($filearrayindatabase as $key2 => $val2)
 		{
-			if ($filearrayindatabase[$key2]['name'] == $filearray[$key]['name'])
+			if ($filearrayindatabase[$key2]['name'] == $tmpfilename)
 			{
 				$filearray[$key]['position_name'] = ($filearrayindatabase[$key2]['position'] ? $filearrayindatabase[$key2]['position'] : '0').'_'.$filearrayindatabase[$key2]['name'];
 				$filearray[$key]['position'] = $filearrayindatabase[$key2]['position'];
@@ -349,7 +351,7 @@ function completeFileArrayWithDatabaseInfo(&$filearray, $relativedir)
 			$filearray[$key]['acl'] = '';

 			$rel_filename = preg_replace('/^'.preg_quote(DOL_DATA_ROOT, '/').'/', '', $filearray[$key]['fullname']);
-			if (!preg_match('/([\\/]temp[\\/]|[\\/]thumbs|\.meta$)/', $rel_filetorenameafter))     // If not a tmp file
+			if (!preg_match('/([\\/]temp[\\/]|[\\/]thumbs|\.meta$)/', $rel_filename))     // If not a tmp file
 			{
 				dol_syslog("list_of_documents We found a file called '".$filearray[$key]['name']."' not indexed into database. We add it");
 				include_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmfiles.class.php';
@@ -1529,6 +1531,7 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
 	if (!empty($_FILES[$varfiles])) // For view $_FILES[$varfiles]['error']
 	{
 		dol_syslog('dol_add_file_process upload_dir='.$upload_dir.' allowoverwrite='.$allowoverwrite.' donotupdatesession='.$donotupdatesession.' savingdocmask='.$savingdocmask, LOG_DEBUG);
+
 		if (dol_mkdir($upload_dir) >= 0)
 		{
 			$TFile = $_FILES[$varfiles];
@@ -1554,6 +1557,13 @@ function dol_add_file_process($upload_dir, $allowoverwrite = 0, $donotupdatesess
 					$destfile=preg_replace('/__file__/', $TFile['name'][$i], $savingdocmask);
 				}

+				$filenameto = basename($destfile);
+				if (preg_match('/^\./', $filenameto)) {
+					$langs->load("errors"); // key must be loaded because we can't rely on loading during output, we need var substitution to be done now.
+					setEventMessages($langs->trans("ErrorFilenameCantStartWithDot", $filenameto), null, 'errors');
+					break;
+				}
+
 				// dol_sanitizeFileName the file name and lowercase extension
 				$info = pathinfo($destfull);
 				$destfull = $info['dirname'].'/'.dol_sanitizeFileName($info['filename'].($info['extension']!='' ? ('.'.strtolower($info['extension'])) : ''));
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -8571,9 +8571,7 @@ function isAFileWithExecutableContent($filename)
    {
        return true;
    }
-    if (preg_match('/^\./', $filename)) {	// We consider file starting with a . as dangerous as executable files. For example .htaccess, .xxx
-		return true;
-    }
+
    return false;
 }

--- a/htdocs/langs/en_US/errors.lang
+++ b/htdocs/langs/en_US/errors.lang
@@ -182,6 +182,7 @@ ErrorBadDefinitionOfMenuArrayInModuleDescriptor=Bad Definition Of Menu Array In
 ErrorSavingChanges=An error has occurred when saving the changes
 ErrorWarehouseRequiredIntoShipmentLine=Warehouse is required on the line to ship
 ErrorFileMustHaveFormat=File must have format %s
+ErrorFilenameCantStartWithDot=Filename can't start with a '.'
 ErrorSupplierCountryIsNotDefined=Country for this vendor is not defined. Correct this first.
 ErrorsThirdpartyMerge=Failed to merge the two records. Request canceled.
 ErrorStockIsNotEnoughToAddProductOnOrder=Stock is not enough for product %s to add it into a new order.