Merge pull request from GHSA-7cmj-g5qc-pj88

Cacti · Apr 7, 2024 · eff35b0 · eff35b0
1 parent fd93c6e
commit eff35b0
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/lib/import.php b/lib/import.php
@@ -523,14 +523,22 @@ function import_package($xmlfile, $profile_id = 1, $remove_orphans = false, $rep
 		$fdata = base64_decode($f['data'], true);
 		$name  = $f['name'];
 
+		/* The xml file without path is the main template of the package. It is processed below using $debug_data */
 		if (strpos($name, 'scripts/') !== false || strpos($name, 'resource/') !== false) {
+
 			$filename = CACTI_PATH_BASE . "/$name";
 
 			if (!$preview) {
 				if (!cacti_sizeof($import_files) || in_array($name, $import_files, true)) {
-					cacti_log('Writing file: ' . $filename, false, 'IMPORT', POLLER_VERBOSITY_MEDIUM);
+					cacti_log('Checking filepath: ' . $filename, false, 'IMPORT', POLLER_VERBOSITY_MEDIUM);
+
+					if (!preg_match('/^(scripts|resource)[a-zA-Z0-9_\-\/]*$/', dirname($name))) {
+						cacti_log('FATAL: Incorrect path: ' . $filename, true, 'IMPORT', POLLER_VERBOSITY_LOW);
+
+						$filestatus[$filename] = __('incorrect path, file not saved');
+					} elseif ((is_writeable(dirname($filename)) && !file_exists($filename)) || is_writable($filename)) {
+						cacti_log('Writing file: ' . $filename, false, 'IMPORT', POLLER_VERBOSITY_MEDIUM);
 
-					if ((is_writeable(dirname($filename)) && !file_exists($filename)) || is_writable($filename)) {
 						$file = fopen($filename, 'wb');
 
 						if (is_resource($file)) {
@@ -562,7 +570,9 @@ function import_package($xmlfile, $profile_id = 1, $remove_orphans = false, $rep
 					$existing = md5_file($filename);
 				}
 
-				if (is_writeable(dirname($filename))) {
+				if (!preg_match('/^(scripts|resource)[a-zA-Z0-9_\-\/]*$/', dirname($name))) {
+					$filestatus[$filename] = 'incorrect path';
+				} elseif (is_writeable(dirname($filename))) {
 					if (file_exists($filename) && is_writable($filename)) {
 						if ($new == $existing) {
 							$filestatus[$filename] = 'writable, identical';
@@ -589,6 +599,7 @@ function import_package($xmlfile, $profile_id = 1, $remove_orphans = false, $rep
 				} else {
 					$filestatus[$filename] = 'not writable, new';
 				}
+
 			}
 		} else {
 			if (!$preview) {

diff --git a/package_import.php b/package_import.php
@@ -558,6 +558,8 @@ function import_display_package_data($templates, $files, $package_name, $xmlfile
 							$nstatus .= ($nstatus != '' ? ', ':'') . __('Writable');
 						} elseif ($s == 'new') {
 							$nstatus .= ($nstatus != '' ? ', ':'') . __('New');
+						} elseif ($s == 'incorrect path') {
+							$nstatus .= ($nstatus != '' ? ', ':'') . __('Incorrect path, will not be imported');
 						} else {
 							$nstatus .= ($nstatus != '' ? ', ':'') . __('Unknown');
 						}