From: garvinhicking Date: Wed, 11 May 2005 09:40:58 +0000 (+0000) Subject: Try to catch more "evil" opportunities. X-Git-Tag: 0.9~469 X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=b9945e3d55a8447f618a5852379434980ae3888b;p=s9y.git Try to catch more "evil" opportunities. GUYS: We need some volunteers to check if uploads still work as expected and our latest changes don't break stuff. And of course that it's no longer exploitable. --- diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php index bb3272a..86166a2 100644 --- a/include/admin/images.inc.php +++ b/include/admin/images.inc.php @@ -54,12 +54,17 @@ switch ($serendipity['GET']['adminAction']) { case 'rename': $file = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']); - $serendipity['GET']['newname'] = serendipity_uploadSecure($serendipity['GET']['newname']); + $serendipity['GET']['newname'] = serendipity_uploadSecure($serendipity['GET']['newname'], true); if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) { return; } + if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && !serendipity_isSafeFile($serendipity['GET']['newname'])) { + printf(ERROR_FILE_FORBIDDEN, $serendipity['GET']['newname']); + return; + } + if ($file['hotlink']) { serendipity_updateImageInDatabase(array('name' => $serendipity['GET']['newname']), $serendipity['GET']['fid']); } else { @@ -131,7 +136,7 @@ switch ($serendipity['GET']['adminAction']) { } $tfile = serendipityNormalizeFilename(serendipity_uploadSecure($tfile)); - $serendipity['POST']['target_directory'][$tindex] = serendipity_uploadSecure($serendipity['POST']['target_directory'][$tindex], true); + $serendipity['POST']['target_directory'][$tindex] = serendipity_uploadSecure($serendipity['POST']['target_directory'][$tindex], true, true); $target = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $serendipity['POST']['target_directory'][$tindex] . $tfile; if (file_exists($target)) { @@ -195,7 +200,7 @@ switch ($serendipity['GET']['adminAction']) { } $tfile = serendipityNormalizeFilename(serendipity_uploadSecure($tfile)); - $serendipity['POST']['target_directory'][$idx] = serendipity_uploadSecure($serendipity['POST']['target_directory'][$idx], true); + $serendipity['POST']['target_directory'][$idx] = serendipity_uploadSecure($serendipity['POST']['target_directory'][$idx], true, true); $target = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $serendipity['POST']['target_directory'][$idx] . $tfile; if (file_exists($target)) { diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php index 3d38e9a..d069ecb 100644 --- a/include/functions_images.inc.php +++ b/include/functions_images.inc.php @@ -10,6 +10,9 @@ function serendipityNormalizeFilename($in) { return $out; } +function serendipity_isSafeFile($file) { + return preg_match('@\.(php[34]?|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file); +} /** * Get a list of images @@ -1236,13 +1239,19 @@ function serendipity_deletePath($dir) { } } -function serendipity_uploadSecure($var, $strip_paths = true) { +function serendipity_uploadSecure($var, $strip_paths = true, $append_slash = false) { $var = preg_replace('@[^0-9a-z\._/-]@i', '', $var); if ($strip_paths) { $var = preg_replace('@(\.+[/\\\\]+)@', '/', $var); } $var = preg_replace('@^(/+)@', '', $var); + + if ($append_slash) { + if (substr($var, -1, 1) != '/') { + $var .= '/'; + } + } return $var; }