Test/vtenext
1
0
Fork 0
mirror of https://github.com/VTECRM/vtenext.git synced 2026-02-26 16:18:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

TTTT228766 - Security Fix

Browse Source
This commit is contained in:
Daniele 2021-08-10 09:41:07 +02:00 committed by GitHub
parent 0b7471e3df
commit 3faaec424d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 39 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
modules/Emails/plupload/upload.php
View File

@ -10,15 +10,38 @@
* Contributing: http://www.plupload.com/contributing * Contributing: http://www.plupload.com/contributing
*/ */
// Settings //crmv@228766
$targetDir = 'storage/uploads_emails_'.$_REQUEST['dir']; //crmv@2963m if(!isset($root_directory)){
require('../../../config.inc.php');
}
chdir($root_directory);
require_once('include/utils/utils.php');
VteSession::start();
if(!VteSession::hasKey('authenticated_user_id')) die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Not Authorized."}, "id" : "id"}');
// crmv@228766e
// Settings
$targetDir = 'storage/uploads_emails_'.str_replace('../', '', $_REQUEST['dir']);//crmv@2963m crmv@228766
// crmv@228766
$tempRootDir = rtrim($root_directory, "/");
// Create target dir // Create target dir
if (!file_exists($targetDir)){ if (!file_exists($targetDir)){
@mkdir($targetDir); @mkdir($targetDir);
checkIfPathIsInStorage($targetDir, $tempRootDir);
@file_put_contents($targetDir."/index.html", "<html></html>\n"); // crmv@195947 @file_put_contents($targetDir."/index.html", "<html></html>\n"); // crmv@195947
} else {
checkIfPathIsInStorage($targetDir, $tempRootDir);
} }
function checkIfPathIsInStorage($path, $rootPath){
if (strpos(dirname(realpath($path)), $rootPath.'/storage') !== 0){
die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Bad dir."}, "id" : "id"}');
}
}
// crmv@228766e
//crmv@81704 //crmv@81704
if ($_REQUEST['ckeditor'] == 'true'){ if ($_REQUEST['ckeditor'] == 'true'){
$response_arr = Array( $response_arr = Array(
@ -60,7 +83,7 @@ if ($_REQUEST['ckeditor'] == 'true'){
} }
echo Zend_Json::encode($response_arr); echo Zend_Json::encode($response_arr);
exit; exit;
} }
//crmv@81704 e //crmv@81704 e
@ -85,6 +108,13 @@ $chunk = isset($_REQUEST["chunk"]) ? $_REQUEST["chunk"] : 0;
$chunks = isset($_REQUEST["chunks"]) ? $_REQUEST["chunks"] : 0; $chunks = isset($_REQUEST["chunks"]) ? $_REQUEST["chunks"] : 0;
$fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : ''; $fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : '';
// crmv@228766
$ext = pathinfo($fileName, PATHINFO_EXTENSION);
if (is_array($upload_badext) && in_array($ext, $upload_badext)){
die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "File type not supported."}, "id" : "id"}');
}
// crmv@228766e
// Clean the fileName for security reasons // Clean the fileName for security reasons
$fileName = preg_replace('/[^\w\._]+/', '', $fileName); $fileName = preg_replace('/[^\w\._]+/', '', $fileName);
@ -124,7 +154,7 @@ if (isset($_SERVER["HTTP_CONTENT_TYPE"]))
if (isset($_SERVER["CONTENT_TYPE"])) if (isset($_SERVER["CONTENT_TYPE"]))
$contentType = $_SERVER["CONTENT_TYPE"]; $contentType = $_SERVER["CONTENT_TYPE"];
// Handle non multipart uploads older WebKit versions didn't support multipart in HTML5 // Handle non multipart uploads older WebKit versions didn't support multipart in HTML5
if (strpos($contentType, "multipart") !== false) { if (strpos($contentType, "multipart") !== false) {
if (isset($_FILES['file']['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name'])) { if (isset($_FILES['file']['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {
@ -137,7 +167,7 @@ if (strpos($contentType, "multipart") !== false) {
if ($in) { if ($in) {
while ($buff = fread($in, 4096)) while ($buff = fread($in, 4096))
fwrite($out, $buff); fwrite($out, $buff);
// crmv@205309 // crmv@205309
} else { } else {
header("HTTP/1.0 500 Internal Server Error"); header("HTTP/1.0 500 Internal Server Error");
die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
@ -159,8 +189,8 @@ if (strpos($contentType, "multipart") !== false) {
} }
// crmv@205309e // crmv@205309e
} }
// crmv@205309 // crmv@205309
} else { } else {
header("HTTP/1.0 500 Internal Server Error"); header("HTTP/1.0 500 Internal Server Error");
die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}'); die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}');
@ -176,7 +206,7 @@ if (strpos($contentType, "multipart") !== false) {
if ($in) { if ($in) {
while ($buff = fread($in, 4096)) while ($buff = fread($in, 4096))
fwrite($out, $buff); fwrite($out, $buff);
// crmv@205309 // crmv@205309
} else { } else {
header("HTTP/1.0 500 Internal Server Error"); header("HTTP/1.0 500 Internal Server Error");
die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
@ -185,7 +215,7 @@ if (strpos($contentType, "multipart") !== false) {
fclose($in); fclose($in);
fclose($out); fclose($out);
} else { } else {
// crmv@205309 // crmv@205309
// try to save in database // try to save in database
@ -204,4 +234,3 @@ if (strpos($contentType, "multipart") !== false) {
// Return JSON-RPC response // Return JSON-RPC response
die('{"jsonrpc" : "2.0", "result" : null, "id" : "id"}'); die('{"jsonrpc" : "2.0", "result" : null, "id" : "id"}');
//crmv@22123e //crmv@22123e
?>