Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-02-07 00:14:40 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix multiple potential filepath manipulation vulnerabilities

Browse Source
This commit is contained in:
Fedor A. Fetisov 2013-09-13 15:26:54 +04:00
parent 84467fbb8d
commit 0cfb7a74f5
5 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/messenger/webim/b.php
View File

@ -33,7 +33,7 @@ if($referer && isset($_SESSION['threadid'])) {
$image = verifyparam(isset($_GET['image']) ? "image" : "i", "/^\w+$/", "webim");
$lang = verifyparam(isset($_GET['language']) ? "language" : "lang", "/^[\w-]{2,5}$/", "");
if(!$lang || !locale_exists($lang)) {
if(!$lang || !locale_pattern_check($lang) || !locale_exists($lang)) {
$lang = $current_locale;
}
@ -51,9 +51,11 @@ if($groupid) {
}
$image_postfix = has_online_operators($groupid) ? "on" : "off";
$filename = "locales/${lang}/button/${image}_${image_postfix}.gif";
$fp = fopen($filename, 'rb') or die("no image");
$filename = dirname(__FILE__) . "/locales/${lang}/button/${image}_${image_postfix}.gif";
if (!file_exists($filename)) {
die("no image");
}
$fp = fopen($filename, 'rb') or die("unable to get image");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache");

4
src/messenger/webim/libs/common.php
View File

@ -188,8 +188,8 @@ function load_messages($locale)
$current_encoding = $webim_encoding;
$fp = fopen(dirname(__FILE__) . "/../locales/$locale/properties", "r");
if (!$fp) {
die("unable to open properties for locale");
if ($fp === FALSE) {
die("unable to open properties for locale $locale");
}
while (!feof($fp)) {
$line = fgets($fp, 4096);

4
src/messenger/webim/libs/expand.php
View File

@ -16,7 +16,7 @@
*/
$ifregexp = "/\\\${(if|ifnot):([\w\.]+)}(.*?)(\\\${else:\\2}.*?)?\\\${endif:\\2}/s";
$expand_include_path = "";
$expand_include_path = dirname(__FILE__) . '/../';
$current_style = "";
function check_condition($condition)
@ -106,7 +106,7 @@ function expand($basedir, $style, $filename)
{
global $expand_include_path, $current_style;
start_html_output();
if (!is_dir("$basedir/$style")) {
if (!preg_match('/^\w+$/', $style) || !is_dir("$basedir/$style")) {
$style = "default";
}
$expand_include_path = "$basedir/$style/templates/";

6
src/messenger/webim/operator/avatar.php
View File

@ -46,8 +46,8 @@ if (!$op) {
$orig_filename = $_FILES['avatarFile']['name'];
$tmp_file_name = $_FILES['avatarFile']['tmp_name'];
$ext = strtolower(substr($orig_filename, 1 + strrpos($orig_filename, ".")));
$new_file_name = "$opId.$ext";
$ext = preg_replace('/\//', '', strtolower(substr($orig_filename, 1 + strrpos($orig_filename, "."))));
$new_file_name = intval($opId). ".$ext";
loadsettings();
$file_size = $_FILES['avatarFile']['size'];
@ -56,7 +56,7 @@ if (!$op) {
} elseif (!in_array($ext, $valid_types)) {
$errors[] = failed_uploading_file($orig_filename, "errors.invalid.file.type");
} else {
$avatar_local_dir = "../images/avatar/";
$avatar_local_dir = dirname(__FILE__) . "/../images/avatar/";
$full_file_path = $avatar_local_dir . $new_file_name;
if (file_exists($full_file_path)) {
unlink($full_file_path);

3
src/messenger/webim/operator/translate.php
View File

@ -58,6 +58,9 @@ function save_message($locale, $key, $value)
$added = false;
$current_encoding = $webim_encoding;
$fp = fopen(dirname(__FILE__) . "/../locales/$locale/properties", "r");
if ($fp === FALSE) {
die "unable to open properties for locale $locale";
}
while (!feof($fp)) {
$line = fgets($fp, 4096);
$keyval = preg_split("/=/", $line, 2);