fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-04 17:44:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

#1713 첨부한 파일명을 이용해 임의 코드를 실행할 수 있는 문제 고침

Browse source
This commit is contained in:
bnu 2015-08-18 14:07:33 +09:00
parent 74a74f9256
commit 633da1b13c
2 changed files with 7 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules/file/file.controller.php
View file

@ -662,16 +662,17 @@ class fileController extends file
} }
} }
// https://github.com/xpressengine/xe-core/issues/1713
$file_info['name'] = preg_replace('/\.(php|phtm|phar|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x',$file_info['name']);
$file_info['name'] = removeHackTag($file_info['name']);
$file_info['name'] = str_replace(array('<','>'),array('%3C','%3E'),$file_info['name']);
// Get random number generator // Get random number generator
$random = new Password(); $random = new Password();
// Set upload path by checking if the attachement is an image or other kinds of file // Set upload path by checking if the attachement is an image or other kinds of file
if(preg_match("/\.(jpe?g|gif|png|wm[va]|mpe?g|avi|swf|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/i", $file_info['name'])) if(preg_match("/\.(jpe?g|gif|png|wm[va]|mpe?g|avi|swf|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/i", $file_info['name']))
{ {
// Immediately remove the direct file if it has any kind of extensions for hacking
$file_info['name'] = preg_replace('/\.(php|phtm|phar|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x',$file_info['name']);
$file_info['name'] = str_replace(array('<','>'),array('%3C','%3E'),$file_info['name']);
$path = sprintf("./files/attach/images/%s/%s", $module_srl,getNumberingPath($upload_target_srl,3)); $path = sprintf("./files/attach/images/%s/%s", $module_srl,getNumberingPath($upload_target_srl,3));
// special character to '_' // special character to '_'

1
modules/file/file.model.php
View file

@ -220,6 +220,7 @@ class fileModel extends file
{ {
$file = $file_list[$i]; $file = $file_list[$i];
$file->source_filename = stripslashes($file->source_filename); $file->source_filename = stripslashes($file->source_filename);
$file->source_filename = htmlspecialchars($file->source_filename);
$file->download_url = $this->getDownloadUrl($file->file_srl, $file->sid, $file->module_srl); $file->download_url = $this->getDownloadUrl($file->file_srl, $file->sid, $file->module_srl);
$file_list[$i] = $file; $file_list[$i] = $file;
} }