Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-02-12 02:21:09 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix multiple potential filepath manipulation vulnerabilities

Browse Source
This commit is contained in:
Fedor A. Fetisov 2013-09-13 15:26:54 +04:00
parent 84467fbb8d
commit 0cfb7a74f5
5 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/messenger/webim/b.php
View File

@ -33,7 +33,7 @@ if($referer && isset($_SESSION['threadid'])) {
$image = verifyparam(isset($_GET['image']) ? "image" : "i", "/^\w+$/", "webim"); $image = verifyparam(isset($_GET['image']) ? "image" : "i", "/^\w+$/", "webim");
$lang = verifyparam(isset($_GET['language']) ? "language" : "lang", "/^[\w-]{2,5}$/", ""); $lang = verifyparam(isset($_GET['language']) ? "language" : "lang", "/^[\w-]{2,5}$/", "");
if(!$lang || !locale_exists($lang)) { if(!$lang || !locale_pattern_check($lang) || !locale_exists($lang)) {
$lang = $current_locale; $lang = $current_locale;
} }
@ -51,9 +51,11 @@ if($groupid) {
} }
$image_postfix = has_online_operators($groupid) ? "on" : "off"; $image_postfix = has_online_operators($groupid) ? "on" : "off";
$filename = "locales/${lang}/button/${image}_${image_postfix}.gif"; $filename = dirname(__FILE__) . "/locales/${lang}/button/${image}_${image_postfix}.gif";
if (!file_exists($filename)) {
$fp = fopen($filename, 'rb') or die("no image"); die("no image");
}
$fp = fopen($filename, 'rb') or die("unable to get image");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache"); header("Pragma: no-cache");

4
src/messenger/webim/libs/common.php
View File

@ -188,8 +188,8 @@ function load_messages($locale)
$current_encoding = $webim_encoding; $current_encoding = $webim_encoding;
$fp = fopen(dirname(__FILE__) . "/../locales/$locale/properties", "r"); $fp = fopen(dirname(__FILE__) . "/../locales/$locale/properties", "r");
if (!$fp) { if ($fp === FALSE) {
die("unable to open properties for locale"); die("unable to open properties for locale $locale");
} }
while (!feof($fp)) { while (!feof($fp)) {
$line = fgets($fp, 4096); $line = fgets($fp, 4096);

4
src/messenger/webim/libs/expand.php
View File

@ -16,7 +16,7 @@
*/ */
$ifregexp = "/\\\${(if|ifnot):([\w\.]+)}(.*?)(\\\${else:\\2}.*?)?\\\${endif:\\2}/s"; $ifregexp = "/\\\${(if|ifnot):([\w\.]+)}(.*?)(\\\${else:\\2}.*?)?\\\${endif:\\2}/s";
$expand_include_path = ""; $expand_include_path = dirname(__FILE__) . '/../';
$current_style = ""; $current_style = "";
function check_condition($condition) function check_condition($condition)
@ -106,7 +106,7 @@ function expand($basedir, $style, $filename)
{ {
global $expand_include_path, $current_style; global $expand_include_path, $current_style;
start_html_output(); start_html_output();
if (!is_dir("$basedir/$style")) { if (!preg_match('/^\w+$/', $style) || !is_dir("$basedir/$style")) {
$style = "default"; $style = "default";
} }
$expand_include_path = "$basedir/$style/templates/"; $expand_include_path = "$basedir/$style/templates/";

6
src/messenger/webim/operator/avatar.php
View File

@ -46,8 +46,8 @@ if (!$op) {
$orig_filename = $_FILES['avatarFile']['name']; $orig_filename = $_FILES['avatarFile']['name'];
$tmp_file_name = $_FILES['avatarFile']['tmp_name']; $tmp_file_name = $_FILES['avatarFile']['tmp_name'];
$ext = strtolower(substr($orig_filename, 1 + strrpos($orig_filename, "."))); $ext = preg_replace('/\//', '', strtolower(substr($orig_filename, 1 + strrpos($orig_filename, "."))));
$new_file_name = "$opId.$ext"; $new_file_name = intval($opId). ".$ext";
loadsettings(); loadsettings();
$file_size = $_FILES['avatarFile']['size']; $file_size = $_FILES['avatarFile']['size'];
@ -56,7 +56,7 @@ if (!$op) {
} elseif (!in_array($ext, $valid_types)) { } elseif (!in_array($ext, $valid_types)) {
$errors[] = failed_uploading_file($orig_filename, "errors.invalid.file.type"); $errors[] = failed_uploading_file($orig_filename, "errors.invalid.file.type");
} else { } else {
$avatar_local_dir = "../images/avatar/"; $avatar_local_dir = dirname(__FILE__) . "/../images/avatar/";
$full_file_path = $avatar_local_dir . $new_file_name; $full_file_path = $avatar_local_dir . $new_file_name;
if (file_exists($full_file_path)) { if (file_exists($full_file_path)) {
unlink($full_file_path); unlink($full_file_path);

3
src/messenger/webim/operator/translate.php
View File

@ -58,6 +58,9 @@ function save_message($locale, $key, $value)
$added = false; $added = false;
$current_encoding = $webim_encoding; $current_encoding = $webim_encoding;
$fp = fopen(dirname(__FILE__) . "/../locales/$locale/properties", "r"); $fp = fopen(dirname(__FILE__) . "/../locales/$locale/properties", "r");
if ($fp === FALSE) {
die "unable to open properties for locale $locale";
}
while (!feof($fp)) { while (!feof($fp)) {
$line = fgets($fp, 4096); $line = fgets($fp, 4096);
$keyval = preg_split("/=/", $line, 2); $keyval = preg_split("/=/", $line, 2);