iarv/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-05-18 07:16:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixes #506, additional checks before deleting files

Browse Source 
During upgrade of theme/plugin/language, we add some more test to prevent
transversal path
This commit is contained in:
plegall
2017-03-31 14:45:30 +02:00
parent 9783a61490
commit 2ea5a359fe
3 changed files with 89 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin/include/themes.class.php
+31
View File
@@ -594,6 +594,8 @@ SELECT
*/
function extract_theme_files($action, $revision, $dest)
{
global $logger;
if ($archive = tempnam( PHPWG_THEMES_PATH, 'zip'))
{
$url = PEM_URL . '/download.php';
@@ -619,6 +621,9 @@ SELECT
$main_filepath = $file['filename'];
}
}
$logger->debug(__FUNCTION__.', $main_filepath = '.$main_filepath);
if (isset($main_filepath))
{
$root = dirname($main_filepath); // main.inc.php path in archive
@@ -630,6 +635,9 @@ SELECT
{
$extract_path = PHPWG_THEMES_PATH . ($root == '.' ? 'extension_' . $dest : basename($root));
}
$logger->debug(__FUNCTION__.', $extract_path = '.$extract_path);
if (
$result = $zip->extract(
PCLZIP_OPT_PATH, $extract_path,
@@ -651,9 +659,32 @@ SELECT
and !empty($old_files))
{
$old_files[] = 'obsolete.list';
$logger->debug(__FUNCTION__.', $old_files = {'.join('},{', $old_files).'}');
$extract_path_realpath = realpath($extract_path);
foreach($old_files as $old_file)
{
$old_file = trim($old_file);
$old_file = trim($old_file, '/'); // prevent path starting with a "/"
if (empty($old_file)) // empty here means the extension itself
{
continue;
}
$path = $extract_path.'/'.$old_file;
// make sure the obsolete file is withing the extension directory, prevent traversal path
$realpath = realpath($path);
if ($realpath === false or strpos($realpath, $extract_path_realpath) !== 0)
{
continue;
}
$logger->debug(__FUNCTION__.', to delete = '.$path);
if (is_file($path))
{
@unlink($path);