Fix RVE-2026-1 arbitrary file association by extra var

2026-04-02 01:52:10 +09:00 · 2026-02-16 21:56:44 +09:00 · 2026-02-16 21:56:44 +09:00 · f131a616eb
commit f131a616eb
parent c5d453a2df
5 changed files with 44 additions and 20 deletions
--- a/modules/document/document.controller.php
+++ b/modules/document/document.controller.php
@ -897,7 +897,7 @@ class DocumentController extends Document
 					}

 					// Handle extra vars that support file upload.
-					if ($extra_item->type === 'file' && is_array($value))
+					if ($extra_item->type === 'file' && $value)
 					{
 						$ev_output = $extra_item->uploadFile($value, $obj->document_srl, 'doc');
 						if (!$ev_output->toBool())
@ -1295,16 +1295,20 @@ class DocumentController extends Document
 						if ($extra_item->type === 'file')
 						{
 							// New upload
-							if (is_array($value) && isset($value['name']))
+							if (is_array($value) && isset($value['tmp_name']))
 							{
 								// Delete old file
 								if (isset($old_extra_vars[$idx]->value))
 								{
-									$fc_output = FileController::getInstance()->deleteFile($old_extra_vars[$idx]->value);
-									if (!$fc_output->toBool())
+									$old_file = FileModel::getFile($old_extra_vars[$idx]->value);
+									if ($old_file && $old_file->upload_target_srl == $obj->document_srl)
 									{
-										$oDB->rollback();
-										return $fc_output;
+										$fc_output = FileController::getInstance()->deleteFile($old_file->file_srl);
+										if (!$fc_output->toBool())
+										{
+											$oDB->rollback();
+											return $fc_output;
+										}
 									}
 								}
 								// Insert new file
@ -1329,21 +1333,22 @@ class DocumentController extends Document
 										return $ev_output;
 									}
 									// Delete old file
-									$fc_output = FileController::getInstance()->deleteFile($old_extra_vars[$idx]->value);
-									if (!$fc_output->toBool())
+									$old_file = FileModel::getFile($old_extra_vars[$idx]->value);
+									if ($old_file && $old_file->upload_target_srl == $obj->document_srl)
 									{
-										$oDB->rollback();
-										return $fc_output;
+										$fc_output = FileController::getInstance()->deleteFile($old_file->file_srl);
+										if (!$fc_output->toBool())
+										{
+											$oDB->rollback();
+											return $fc_output;
+										}
 									}
 								}
 							}
 							// Leave current file unchanged
-							elseif (!$value)
+							elseif (isset($old_extra_vars[$idx]->value))
 							{
-								if (isset($old_extra_vars[$idx]->value))
-								{
-									$value = $old_extra_vars[$idx]->value;
-								}
+								$value = $old_extra_vars[$idx]->value;
 							}
 						}
 					}