mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-04-02 01:52:10 +09:00
issue 3633, protect from file upload hacking
git-svn-id: http://xe-core.googlecode.com/svn/branches/maserati@13182 201d5d3c-b55e-5fd7-737f-ddc643e51545
This commit is contained in:
khongchi
parent
f010a2ce7f
commit
acd89ccd9a
10 changed files with 111 additions and 15 deletions
40
classes/security/UploadFileFilter.class.php
Normal file
40
classes/security/UploadFileFilter.class.php
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
<?php
|
||||
|
||||
class UploadFileFilter
|
||||
{
|
||||
private static $_block_list = array('exec', 'system', 'passthru', 'show_source', 'phpinfo', 'fopen', 'file_get_contents', 'file_put_contents', 'fwrite', 'proc_open', 'popen');
|
||||
|
||||
public function check($file)
|
||||
{
|
||||
if (!$file || !file_exists($file)) return TRUE;
|
||||
return self::_check($file);
|
||||
}
|
||||
|
||||
private function _check($file)
|
||||
{
|
||||
if (!($fp = fopen($file, 'r'))) return FALSE;
|
||||
$has_php_tag = FALSE;
|
||||
while (!feof($fp))
|
||||
{
|
||||
$content = fread($fp, 8192);
|
||||
if (FALSE === $has_php_tag) $has_php_tag = strpos($content, '<?');
|
||||
foreach (self::$_block_list as $v)
|
||||
{
|
||||
if (FALSE !== $has_php_tag && FALSE !== strpos($content, $v))
|
||||
{
|
||||
fclose($fp);
|
||||
debugPrint('unvalid file');
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fclose($fp);
|
||||
|
||||
debugPrint('valid file');
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
/* End of file : UploadFileFilter.class.php */
|
||||
/* Location: ./classes/security/UploadFileFilter.class.php */
|
||||
|
|
@ -981,6 +981,18 @@ function removeHackTag($content)
|
|||
return $content;
|
||||
}
|
||||
|
||||
/**
|
||||
* check uploaded file which may be hacking attempts
|
||||
*
|
||||
* @param string $file Taget file path
|
||||
* @return bool
|
||||
*/
|
||||
function checkUploadedFile($file)
|
||||
{
|
||||
require_once(_XE_PATH_ . 'classes/security/UploadFileFilter.class.php');
|
||||
return UploadFileFilter::check($file);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check xmp tag, close it.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -663,6 +663,10 @@ class fileController extends file
|
|||
}
|
||||
// Create a directory
|
||||
if(!FileHandler::makeDir($path)) return new Object(-1,'msg_not_permitted_create');
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($file_info['tmp_name'])) return new Object(-1,'msg_file_upload_error');
|
||||
|
||||
// Move the file
|
||||
if($manual_insert)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -81,8 +81,8 @@ class integration_searchAdminController extends integration_search
|
|||
$obj->{$vars->name} = $module_info->{$vars->name};
|
||||
continue;
|
||||
}
|
||||
// Ignore if the file is not successfully uploaded
|
||||
if(!is_uploaded_file($image_obj['tmp_name']))
|
||||
// Ignore if the file is not successfully uploaded, and check uploaded file
|
||||
if(!is_uploaded_file($image_obj['tmp_name']) || !checkUploadedFile($image_obj['tmp_name']))
|
||||
{
|
||||
unset($obj->{$vars->name});
|
||||
continue;
|
||||
|
|
|
|||
|
|
@ -440,6 +440,9 @@ class layoutAdminController extends layout
|
|||
$filename = sprintf('%s.%s', md5($filename), $ext);
|
||||
}
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($source['tmp_name'])) return false;
|
||||
|
||||
if(file_exists($path .'/'. $filename)) @unlink($path . $filename);
|
||||
if(!move_uploaded_file($source['tmp_name'], $path . $filename )) return false;
|
||||
return true;
|
||||
|
|
@ -692,7 +695,7 @@ class layoutAdminController extends layout
|
|||
// check upload
|
||||
if(!Context::isUploaded()) exit();
|
||||
$file = Context::get('file');
|
||||
if(!is_uploaded_file($file['tmp_name'])) exit();
|
||||
if(!is_uploaded_file($file['tmp_name']) || !checkUploadedFile($file['tmp_name'])) exit();
|
||||
if(!preg_match('/\.(tar)$/i', $file['name'])) exit();
|
||||
|
||||
$layout_srl = Context::get('layout_srl');
|
||||
|
|
@ -927,7 +930,7 @@ class layoutAdminController extends layout
|
|||
$this->setTemplatePath($this->module_path.'tpl');
|
||||
$this->setTemplateFile("after_upload_config_image.html");
|
||||
|
||||
if(!$img['tmp_name'] || !is_uploaded_file($img['tmp_name']))
|
||||
if(!$img['tmp_name'] || !is_uploaded_file($img['tmp_name']) || !checkUploadedFile($img['tmp_name']))
|
||||
{
|
||||
Context::set('msg', Context::getLang('upload failed'));
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -645,6 +645,10 @@ class memberController extends member
|
|||
*/
|
||||
function insertProfileImage($member_srl, $target_file)
|
||||
{
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($target_file)) return;
|
||||
|
||||
$oModuleModel = &getModel('module');
|
||||
$config = $oModuleModel->getModuleConfig('member');
|
||||
// Get an image size
|
||||
|
|
@ -706,6 +710,9 @@ class memberController extends member
|
|||
*/
|
||||
function insertImageName($member_srl, $target_file)
|
||||
{
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($target_file)) return;
|
||||
|
||||
$oModuleModel = &getModel('module');
|
||||
$config = $oModuleModel->getModuleConfig('member');
|
||||
// Get an image size
|
||||
|
|
@ -812,6 +819,9 @@ class memberController extends member
|
|||
*/
|
||||
function insertImageMark($member_srl, $target_file)
|
||||
{
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($target_file)) return;
|
||||
|
||||
$oModuleModel = &getModel('module');
|
||||
$config = $oModuleModel->getModuleConfig('member');
|
||||
// Get an image size
|
||||
|
|
|
|||
|
|
@ -1361,11 +1361,17 @@ class menuAdminController extends menu
|
|||
$target = Context::get('target');
|
||||
$target_file = Context::get($target);
|
||||
// Error occurs when the target is neither a uploaded file nor a valid file
|
||||
if(!$menu_srl || !$menu_item_srl || !$target_file || !is_uploaded_file($target_file['tmp_name']) || !preg_match('/\.(gif|jpeg|jpg|png)/i',$target_file['name']))
|
||||
if(!$menu_srl || !$menu_item_srl)
|
||||
{
|
||||
Context::set('error_messge', Context::getLang('msg_invalid_request'));
|
||||
// Move the file to a specific director if the uploaded file meets requirement
|
||||
|
||||
}
|
||||
else if(!$target_file || !is_uploaded_file($target_file['tmp_name']) || !preg_match('/\.(gif|jpeg|jpg|png)/i',$target_file['name']) || !checkUploadedFile($target_file['tmp_name']))
|
||||
{
|
||||
Context::set('error_messge', Context::getLang('msg_invalid_request'));
|
||||
}
|
||||
|
||||
// Move the file to a specific director if the uploaded file meets requirement
|
||||
else
|
||||
{
|
||||
$tmp_arr = explode('.',$target_file['name']);
|
||||
|
|
@ -1977,8 +1983,12 @@ class menuAdminController extends menu
|
|||
$ext = $tmp_arr[count($tmp_arr)-1];
|
||||
|
||||
$filename = sprintf('%s%d.%s.%s.%s', $path, $args->menu_item_srl, $date, 'menu_normal_btn', $ext);
|
||||
move_uploaded_file($args->menu_normal_btn['tmp_name'], $filename);
|
||||
$returnArray['normal_btn'] = $filename;
|
||||
|
||||
if(checkUploadedFile($args->menu_normal_btn['tmp_name']))
|
||||
{
|
||||
move_uploaded_file ( $args->menu_normal_btn ['tmp_name'], $filename );
|
||||
$returnArray ['normal_btn'] = $filename;
|
||||
}
|
||||
}
|
||||
|
||||
// hover button
|
||||
|
|
@ -1988,8 +1998,12 @@ class menuAdminController extends menu
|
|||
$ext = $tmp_arr[count($tmp_arr)-1];
|
||||
|
||||
$filename = sprintf('%s%d.%s.%s.%s', $path, $args->menu_item_srl, $date, 'menu_hover_btn', $ext);
|
||||
move_uploaded_file($args->menu_hover_btn['tmp_name'], $filename);
|
||||
$returnArray['hover_btn'] = $filename;
|
||||
|
||||
if(checkUploadedFile($args->menu_hover_btn['tmp_name']))
|
||||
{
|
||||
move_uploaded_file($args->menu_hover_btn['tmp_name'], $filename);
|
||||
$returnArray['hover_btn'] = $filename;
|
||||
}
|
||||
}
|
||||
|
||||
// active button
|
||||
|
|
@ -1999,8 +2013,13 @@ class menuAdminController extends menu
|
|||
$ext = $tmp_arr[count($tmp_arr)-1];
|
||||
|
||||
$filename = sprintf('%s%d.%s.%s.%s', $path, $args->menu_item_srl, $date, 'menu_active_btn', $ext);
|
||||
move_uploaded_file($args->menu_active_btn['tmp_name'], $filename);
|
||||
$returnArray['active_btn'] = $filename;
|
||||
|
||||
if(checkUploadedFile($args->menu_active_btn['tmp_name']))
|
||||
{
|
||||
move_uploaded_file($args->menu_active_btn['tmp_name'], $filename);
|
||||
$returnArray['active_btn'] = $filename;
|
||||
}
|
||||
|
||||
}
|
||||
return $returnArray;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -436,7 +436,7 @@ class moduleAdminController extends module
|
|||
continue;
|
||||
}
|
||||
// Ignore if the file is not successfully uploaded
|
||||
if(!is_uploaded_file($image_obj['tmp_name']))
|
||||
if(!is_uploaded_file($image_obj['tmp_name']) || !checkUploadedFile($image_obj['tmp_name']))
|
||||
{
|
||||
unset($obj->{$vars->name});
|
||||
continue;
|
||||
|
|
|
|||
|
|
@ -1134,7 +1134,8 @@ class moduleController extends module
|
|||
}
|
||||
else
|
||||
{
|
||||
$this->add('save_filename', $output->get('save_filename'));
|
||||
if($output) $this->add('save_filename', $output->get('save_filename'));
|
||||
else $this->add('save_filename', '');
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1156,6 +1157,9 @@ class moduleController extends module
|
|||
$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $ext);
|
||||
$tmp = $vars->addfile['tmp_name'];
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($tmp)) return false;
|
||||
|
||||
if(!@move_uploaded_file($tmp, $save_filename))
|
||||
{
|
||||
return false;
|
||||
|
|
@ -1188,6 +1192,9 @@ class moduleController extends module
|
|||
$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $vars->ext);
|
||||
$tmp = $vars->addfile['tmp_name'];
|
||||
|
||||
// Check uploaded file
|
||||
if(!checkUploadedFile($tmp)) return false;
|
||||
|
||||
// upload
|
||||
if(!@move_uploaded_file($tmp, $save_filename))
|
||||
{
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ class rssAdminController extends rss
|
|||
$total_config->image = '';
|
||||
}
|
||||
// Ignore if the file is not the one which has been successfully uploaded
|
||||
if($image_obj['tmp_name'] && is_uploaded_file($image_obj['tmp_name']))
|
||||
if($image_obj['tmp_name'] && is_uploaded_file($image_obj['tmp_name']) && checkUploadedFile($image_obj['tmp_name']))
|
||||
{
|
||||
// Ignore if the file is not an image (swf is accepted ~)
|
||||
$image_obj['name'] = Context::convertEncodingStr($image_obj['name']);
|
||||
|
|
@ -59,6 +59,7 @@ class rssAdminController extends rss
|
|||
else
|
||||
{
|
||||
$filename = $path.$image_obj['name'];
|
||||
|
||||
// Move the file
|
||||
if(!move_uploaded_file($image_obj['tmp_name'], $filename)) $alt_message = 'msg_error_occured';
|
||||
else
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue