From 8d11813ea5fbefc3cfbb6e3295dc8fd5fcfc8d3d Mon Sep 17 00:00:00 2001 From: lmarcouiller Date: Mon, 14 Mar 2022 11:45:23 +0100 Subject: [PATCH] fix security problems and add zstd support --- htdocs/core/lib/files.lib.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 86c740c4f44..37bc946a8b6 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2146,22 +2146,24 @@ function dol_uncompress($inputfile, $outputdir) } return array('error'=>'ErrNoZipEngine'); - } elseif ($fileinfo["extension"] == "gz" || $fileinfo["extension"] == "bz2") { + } elseif (in_array($fileinfo["extension"], array('gz','bz2','zst'))) { $extension = pathinfo($fileinfo["filename"], PATHINFO_EXTENSION); if ($extension == "tar") { - $cmd = "tar -C ".$outputdir." -xvf ".$fileinfo["dirname"]."/".$fileinfo["basename"]; + $cmd = 'tar -C '.escapeshellcmd(dol_sanitizePathName($outputdir)).' -xvf '.escapeshellcmd(dol_sanitizePathName($fileinfo["dirname"]).'/'.dol_sanitizeFileName($fileinfo["basename"])); $resarray = $utils->executeCLI($cmd, $outputdir); } else { $program = ""; if ($fileinfo["extension"] == "gz") { - $program = "gzip"; + $program = 'gzip'; } elseif ($fileinfo["extension"] == "bz2") { - $program = "bzip2"; + $program = 'bzip2'; + } elseif ($fileinfo["extension"] == "zst") { + $program = 'zstd'; } else { return array('error'=>'ErrFileExtension'); } - $cmd = $program." -dc ".$fileinfo["dirname"]."/".$fileinfo["basename"]; - $outputfilename = $outputdir."/".$fileinfo["filename"]; + $cmd = $program.' -dc '.escapeshellcmd(dol_sanitizePathName($fileinfo["dirname"]).'/'.dol_sanitizeFileName($fileinfo["basename"])); + $outputfilename = escapeshellcmd(dol_sanitizePathName($outputdir).'/'.dol_sanitizeFileName($fileinfo["filename"])); $resarray = $utils->executeCLI($cmd, $outputfilename, 0, $outputfilename); if ($resarray["output"] == 2) { $resarray["error"] = "ErrFilePermOrFileNotFound";