From 0cfb7a74f5014ef9fec8c3cdf9e98c2a4674ba62 Mon Sep 17 00:00:00 2001
From: "Fedor A. Fetisov" <faf@ossg.ru>
Date: Fri, 13 Sep 2013 15:26:54 +0400
Subject: [PATCH] Fix multiple potential filepath manipulation vulnerabilities

---
 src/messenger/webim/b.php                  | 10 ++++++----
 src/messenger/webim/libs/common.php        |  4 ++--
 src/messenger/webim/libs/expand.php        |  4 ++--
 src/messenger/webim/operator/avatar.php    |  6 +++---
 src/messenger/webim/operator/translate.php |  3 +++
 5 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/src/messenger/webim/b.php b/src/messenger/webim/b.php
index f83310a4..cfb18322 100644
--- a/src/messenger/webim/b.php
+++ b/src/messenger/webim/b.php
@@ -33,7 +33,7 @@ if($referer && isset($_SESSION['threadid'])) {
 
 $image = verifyparam(isset($_GET['image']) ? "image" : "i", "/^\w+$/", "webim");
 $lang = verifyparam(isset($_GET['language']) ? "language" : "lang", "/^[\w-]{2,5}$/", "");
-if(!$lang || !locale_exists($lang)) {
+if(!$lang || !locale_pattern_check($lang) || !locale_exists($lang)) {
 	$lang = $current_locale;
 }
 
@@ -51,9 +51,11 @@ if($groupid) {
 }
 
 $image_postfix = has_online_operators($groupid) ? "on" : "off";
-$filename = "locales/${lang}/button/${image}_${image_postfix}.gif";
-
-$fp = fopen($filename, 'rb') or die("no image");
+$filename = dirname(__FILE__) . "/locales/${lang}/button/${image}_${image_postfix}.gif";
+if (!file_exists($filename)) {
+	die("no image");
+}
+$fp = fopen($filename, 'rb') or die("unable to get image");
 header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
 header("Cache-Control: no-store, no-cache, must-revalidate");
 header("Pragma: no-cache");
diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php
index 2be94966..050eef9d 100644
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@@ -188,8 +188,8 @@ function load_messages($locale)
 	$current_encoding = $webim_encoding;
 	
 	$fp = fopen(dirname(__FILE__) . "/../locales/$locale/properties", "r");
-	if (!$fp) {
-		die("unable to open properties for locale");
+	if ($fp === FALSE) {
+		die("unable to open properties for locale $locale");
 	}
 	while (!feof($fp)) {
 		$line = fgets($fp, 4096);
diff --git a/src/messenger/webim/libs/expand.php b/src/messenger/webim/libs/expand.php
index fd7e3d38..89954710 100644
--- a/src/messenger/webim/libs/expand.php
+++ b/src/messenger/webim/libs/expand.php
@@ -16,7 +16,7 @@
  */
 
 $ifregexp = "/\\\${(if|ifnot):([\w\.]+)}(.*?)(\\\${else:\\2}.*?)?\\\${endif:\\2}/s";
-$expand_include_path = "";
+$expand_include_path = dirname(__FILE__) . '/../';
 $current_style = "";
 
 function check_condition($condition)
@@ -106,7 +106,7 @@ function expand($basedir, $style, $filename)
 {
 	global $expand_include_path, $current_style;
 	start_html_output();
-	if (!is_dir("$basedir/$style")) {
+	if (!preg_match('/^\w+$/', $style) || !is_dir("$basedir/$style")) {
 		$style = "default";
 	}
 	$expand_include_path = "$basedir/$style/templates/";
diff --git a/src/messenger/webim/operator/avatar.php b/src/messenger/webim/operator/avatar.php
index d97b389f..2fb1c3af 100644
--- a/src/messenger/webim/operator/avatar.php
+++ b/src/messenger/webim/operator/avatar.php
@@ -46,8 +46,8 @@ if (!$op) {
 		$orig_filename = $_FILES['avatarFile']['name'];
 		$tmp_file_name = $_FILES['avatarFile']['tmp_name'];
 
-		$ext = strtolower(substr($orig_filename, 1 + strrpos($orig_filename, ".")));
-		$new_file_name = "$opId.$ext";
+		$ext = preg_replace('/\//', '', strtolower(substr($orig_filename, 1 + strrpos($orig_filename, "."))));
+		$new_file_name = intval($opId). ".$ext";
 		loadsettings();
 
 		$file_size = $_FILES['avatarFile']['size'];
@@ -56,7 +56,7 @@ if (!$op) {
 		} elseif (!in_array($ext, $valid_types)) {
 			$errors[] = failed_uploading_file($orig_filename, "errors.invalid.file.type");
 		} else {
-			$avatar_local_dir = "../images/avatar/";
+			$avatar_local_dir = dirname(__FILE__) . "/../images/avatar/";
 			$full_file_path = $avatar_local_dir . $new_file_name;
 			if (file_exists($full_file_path)) {
 				unlink($full_file_path);
diff --git a/src/messenger/webim/operator/translate.php b/src/messenger/webim/operator/translate.php
index d724ff44..7b281aba 100644
--- a/src/messenger/webim/operator/translate.php
+++ b/src/messenger/webim/operator/translate.php
@@ -58,6 +58,9 @@ function save_message($locale, $key, $value)
 	$added = false;
 	$current_encoding = $webim_encoding;
 	$fp = fopen(dirname(__FILE__) . "/../locales/$locale/properties", "r");
+	if ($fp === FALSE) {
+		die "unable to open properties for locale $locale";
+	}
 	while (!feof($fp)) {
 		$line = fgets($fp, 4096);
 		$keyval = preg_split("/=/", $line, 2);