Beanz/flatpress
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bufix: Checking uploaded files' extensions looked for the tmp file name, not the actual file name. Fixes #152 as well - thanks @s4n-h4xor!

Browse Source
This commit is contained in:
azett 2022-10-01 13:33:34 +02:00
parent 225e3b1b8d
commit 92c0b2a517
2 changed files with 130 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -9,6 +9,7 @@
- jQuery plugin: Updated jQuery (3.5.1 => 3.6) and jQueryUI (1.12.1 => 1.13.1)
- Media Manager plugin shows 50 items per page, not 10
- LastComments plugin will not even attempt to delete or rebuild LastComments caches if LastComments plugin is not available ([#43](https://github.com/flatpressblog/flatpress/issues/43))
- Comment Center config page threw errors ([#90](https://github.com/flatpressblog/flatpress/issues/90))
## Themes
- Leggero
@ -29,7 +30,6 @@
- Search page: Month names displayed in configured frontend language ([#132](https://github.com/flatpressblog/flatpress/issues/132))
## Other bugfixes
- Comment Center config page threw errors ([#90](https://github.com/flatpressblog/flatpress/issues/90))
- Plugin management page: Removed empty warning messages box
- Fixed error at prev link on first / next link on last entry ([#95](https://github.com/flatpressblog/flatpress/issues/95))
- Logout redirects to home page again ([#119](https://github.com/flatpressblog/flatpress/issues/119))

255
admin/panels/uploader/admin.uploader.php
View File

@ -102,133 +102,136 @@ class admin_uploader_default extends AdminPanelAction {
foreach ($_FILES ["upload"] ["error"] as $key => $error) {
if ($error == UPLOAD_ERR_OK) {
$tmp_name = $_FILES ["upload"] ["tmp_name"] [$key];
$name = $_FILES ["upload"] ["name"] [$key];
$dir = ATTACHS_DIR;
/*
* second check extension list
* https://stackoverflow.com/questions/4166762/php-image-upload-security-check-list
*
* 2019-11-24 - laborix
*/
$uploadfilename = strtolower($tmp_name);
$isForbidden = false;
$deeptest = array();
$extcount = 0;
$deeptest = explode('.', $uploadfilename);
$extcount = count($deeptest);
if ($extcount == 1) {
/*
* none extension like .jpg or something else
*
* possible filename = simple-file-without-extension - linux like ok
*/
$isForbidden = false;
} elseif ($extcount == 2) {
/*
* Only one possible extension
*
* possible filename = 1.jpg
* possible filename = admin.uploader.php
* possible filename = .htaccess
* and so on...
*/
$check_ext1 = "";
$check_ext1 = trim($deeptest [1], "\x00..\x1F");
if (in_array($check_ext1, $blacklist_extensions)) {
$isForbidden = true;
} else {
$isForbidden = false;
}
} elseif ($extcount > 2) {
/*
* Chekc only the last two possible extensions
*
* Hint: OWASP - Unrestricted File Upload
*
* In Apache, a php file might be executed using the
* double extension technique such as "file.php.jpg"
* when ".jpg" is allowed.
*
* possible filename = 1.PhP.jpg
* possible filename = admin.uploader.php.JPg
* and so on...
*/
$check_ext1 = "";
$check_ext2 = "";
$check_ext1 = trim($deeptest [$extcount - 1], "\x00..\x1F");
if (in_array($check_ext1, $blacklist_extensions)) {
$isForbidden = true;
} else {
$isForbidden = false;
}
/* Test only if first extension check are not in the blacklist */
if (!$isForbidden) {
$check_ext2 = trim($deeptest [$extcount - 2], "\x00..\x1F");
if (in_array($check_ext2, $blacklist_extensions)) {
$isForbidden = true;
} else {
$isForbidden = false;
}
}
}
/*
* If one blacklisted extension found then
* return with -1 = An error occurred while trying to upload.
*/
if ($isForbidden) {
$this->smarty->assign('success', $success ? 1 : -1);
sess_add('admin_uploader_files', $uploaded_files);
return -1;
}
/*
* third check extension
* if someone upload a .php file as .gif, .jpg or .txt
* if someone upload a .html file as .gif, .jpg or .txt
*
* 2019-11-24 - laborix
*/
if (version_compare(PHP_VERSION, '5.3.0') < 0)
return -1;
if (!function_exists('finfo_open'))
return -1;
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $tmp_name);
finfo_close($finfo);
if (($mime == "text/x-php") || ($mime == "text/html")) {
$this->smarty->assign('success', $success ? 1 : -1);
sess_add('admin_uploader_files', $uploaded_files);
return -1;
}
$ext = strtolower(strrchr($name, '.'));
if (in_array($ext, $imgs)) {
$dir = IMAGES_DIR;
}
$name = sanitize_title(substr($name, 0, -strlen($ext))) . $ext;
$target = "$dir/$name";
@umask(022);
$success = move_uploaded_file($tmp_name, $target);
@chmod($target, 0766);
$uploaded_files [] = $name;
// one failure will make $success == false :)
$success &= $success;
// Upload went wrong -> jump to the next file
if ($error != UPLOAD_ERR_OK) {
continue;
}
$tmp_name = $_FILES ["upload"] ["tmp_name"] [$key];
$name = $_FILES ["upload"] ["name"] [$key];
$dir = ATTACHS_DIR;
/*
* second check extension list
* https://stackoverflow.com/questions/4166762/php-image-upload-security-check-list
*
* 2019-11-24 - laborix
*/
$uploadfilename = strtolower($name);
$isForbidden = false;
$deeptest = array();
$extcount = 0;
$deeptest = explode('.', $uploadfilename);
$extcount = count($deeptest);
if ($extcount == 1) {
/*
* none extension like .jpg or something else
*
* possible filename = simple-file-without-extension - linux like ok
*/
$isForbidden = false;
} elseif ($extcount == 2) {
/*
* Only one possible extension
*
* possible filename = 1.jpg
* possible filename = admin.uploader.php
* possible filename = .htaccess
* and so on...
*/
$check_ext1 = "";
$check_ext1 = trim($deeptest [1], "\x00..\x1F");
if (in_array($check_ext1, $blacklist_extensions)) {
$isForbidden = true;
} else {
$isForbidden = false;
}
} elseif ($extcount > 2) {
/*
* Chekc only the last two possible extensions
*
* Hint: OWASP - Unrestricted File Upload
*
* In Apache, a php file might be executed using the
* double extension technique such as "file.php.jpg"
* when ".jpg" is allowed.
*
* possible filename = 1.PhP.jpg
* possible filename = admin.uploader.php.JPg
* and so on...
*/
$check_ext1 = "";
$check_ext2 = "";
$check_ext1 = trim($deeptest [$extcount - 1], "\x00..\x1F");
if (in_array($check_ext1, $blacklist_extensions)) {
$isForbidden = true;
} else {
$isForbidden = false;
}
/* Test only if first extension check are not in the blacklist */
if (!$isForbidden) {
$check_ext2 = trim($deeptest [$extcount - 2], "\x00..\x1F");
if (in_array($check_ext2, $blacklist_extensions)) {
$isForbidden = true;
} else {
$isForbidden = false;
}
}
}
/*
* If one blacklisted extension found then
* return with -1 = An error occurred while trying to upload.
*/
if ($isForbidden) {
$this->smarty->assign('success', $success ? 1 : -1);
sess_add('admin_uploader_files', $uploaded_files);
return -1;
}
/*
* third check extension
* if someone upload a .php file as .gif, .jpg or .txt
* if someone upload a .html file as .gif, .jpg or .txt
*
* 2019-11-24 - laborix
*/
if (version_compare(PHP_VERSION, '5.3.0') < 0)
return -1;
if (!function_exists('finfo_open'))
return -1;
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $tmp_name);
finfo_close($finfo);
if (($mime == "text/x-php") || ($mime == "text/html")) {
$this->smarty->assign('success', $success ? 1 : -1);
sess_add('admin_uploader_files', $uploaded_files);
return -1;
}
$ext = strtolower(strrchr($name, '.'));
if (in_array($ext, $imgs)) {
$dir = IMAGES_DIR;
}
$name = sanitize_title(substr($name, 0, -strlen($ext))) . $ext;
$target = "$dir/$name";
@umask(022);
$success = move_uploaded_file($tmp_name, $target);
@chmod($target, 0766);
$uploaded_files [] = $name;
// one failure will make $success == false :)
$success &= $success;
}
if ($uploaded_files) {