Test/vtenext
1
0
Fork 0
mirror of https://github.com/VTECRM/vtenext.git synced 2026-02-26 16:18:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

TTTT228766 - Security Fix

Browse Source
This commit is contained in:
Daniele 2021-08-10 09:41:07 +02:00 committed by GitHub
parent 0b7471e3df
commit 3faaec424d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 39 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
modules/Emails/plupload/upload.php
View File

@ -10,15 +10,38 @@
* Contributing: http://www.plupload.com/contributing
*/
// Settings
$targetDir = 'storage/uploads_emails_'.$_REQUEST['dir']; //crmv@2963m
//crmv@228766
if(!isset($root_directory)){
require('../../../config.inc.php');
}
chdir($root_directory);
require_once('include/utils/utils.php');
VteSession::start();
if(!VteSession::hasKey('authenticated_user_id')) die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Not Authorized."}, "id" : "id"}');
// crmv@228766e
// Settings
$targetDir = 'storage/uploads_emails_'.str_replace('../', '', $_REQUEST['dir']);//crmv@2963m crmv@228766
// crmv@228766
$tempRootDir = rtrim($root_directory, "/");
// Create target dir
if (!file_exists($targetDir)){
@mkdir($targetDir);
checkIfPathIsInStorage($targetDir, $tempRootDir);
@file_put_contents($targetDir."/index.html", "<html></html>\n"); // crmv@195947
} else {
checkIfPathIsInStorage($targetDir, $tempRootDir);
}
function checkIfPathIsInStorage($path, $rootPath){
if (strpos(dirname(realpath($path)), $rootPath.'/storage') !== 0){
die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Bad dir."}, "id" : "id"}');
}
}
// crmv@228766e
//crmv@81704
if ($_REQUEST['ckeditor'] == 'true'){
$response_arr = Array(
@ -85,6 +108,13 @@ $chunk = isset($_REQUEST["chunk"]) ? $_REQUEST["chunk"] : 0;
$chunks = isset($_REQUEST["chunks"]) ? $_REQUEST["chunks"] : 0;
$fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : '';
// crmv@228766
$ext = pathinfo($fileName, PATHINFO_EXTENSION);
if (is_array($upload_badext) && in_array($ext, $upload_badext)){
die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "File type not supported."}, "id" : "id"}');
}
// crmv@228766e
// Clean the fileName for security reasons
$fileName = preg_replace('/[^\w\._]+/', '', $fileName);
@ -137,7 +167,7 @@ if (strpos($contentType, "multipart") !== false) {
if ($in) {
while ($buff = fread($in, 4096))
fwrite($out, $buff);
// crmv@205309
// crmv@205309
} else {
header("HTTP/1.0 500 Internal Server Error");
die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
@ -160,7 +190,7 @@ if (strpos($contentType, "multipart") !== false) {
// crmv@205309e
}
// crmv@205309
// crmv@205309
} else {
header("HTTP/1.0 500 Internal Server Error");
die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}');
@ -176,7 +206,7 @@ if (strpos($contentType, "multipart") !== false) {
if ($in) {
while ($buff = fread($in, 4096))
fwrite($out, $buff);
// crmv@205309
// crmv@205309
} else {
header("HTTP/1.0 500 Internal Server Error");
die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');
@ -204,4 +234,3 @@ if (strpos($contentType, "multipart") !== false) {
// Return JSON-RPC response
die('{"jsonrpc" : "2.0", "result" : null, "id" : "id"}');
//crmv@22123e
?>