From 1142fc231a294587b2642c2152776d37515358e7 Mon Sep 17 00:00:00 2001 From: Greg Hormann Date: Sat, 26 Jun 2021 19:05:51 -0400 Subject: [PATCH] Add some sanity check to uploaded file names https://www.huntr.dev/bounties/38-FalconChristmas/fpp/ --- www/api/controllers/files.php | 8 +++++++ www/common.php | 45 ++++++++++++++++++++++------------- www/jqupload.php | 5 ++-- 3 files changed, 40 insertions(+), 18 deletions(-) diff --git a/www/api/controllers/files.php b/www/api/controllers/files.php index 207474fa9..e9824555d 100644 --- a/www/api/controllers/files.php +++ b/www/api/controllers/files.php @@ -219,6 +219,14 @@ function MoveFile() } } + if (! file_exists($uploadDirectory . "/" . $file)) { + $tempFile = sanitizeFilename($file); + if (file_exists($uploadDirectory . "/" . $tempFile)) { + // was sanitized during upload process + $file = $tempFile; + } + } + $status = "OK"; if (file_exists($uploadDirectory . "/" . $file)) { diff --git a/www/common.php b/www/common.php index acce6bc30..08117394d 100644 --- a/www/common.php +++ b/www/common.php @@ -1824,24 +1824,37 @@ function network_list_interfaces_obj() } // Return array of FPP Only systems -function getKnownFPPSystems() { - $backupHosts = Array(); - $data = file_get_contents('http://localhost/api/fppd/multiSyncSystems'); - $arr = json_decode($data, true); - - if (array_key_exists("systems", $arr)) { - foreach ($arr["systems"] as $i) { - // FPP Systems are 0x01 to 0x80 - if ($i["typeId"] >= 1 && $i["typeId"] < 128) { - $desc = $i["address"] . " - " . $i["hostname"]; - $backupHosts[$desc] = $i["address"]; - } - } - ksort($backupHosts); - } - return $backupHosts; +function getKnownFPPSystems() +{ + $backupHosts = array(); + $data = file_get_contents('http://localhost/api/fppd/multiSyncSystems'); + $arr = json_decode($data, true); + + if (array_key_exists("systems", $arr)) { + foreach ($arr["systems"] as $i) { + // FPP Systems are 0x01 to 0x80 + if ($i["typeId"] >= 1 && $i["typeId"] < 128) { + $desc = $i["address"] . " - " . $i["hostname"]; + $backupHosts[$desc] = $i["address"]; + } + } + ksort($backupHosts); + } + return $backupHosts; } +// Removes dangerious characters from file names +// Original idea from https://stackoverflow.com/questions/2021624/string-sanitizer-for-filename +function sanitizeFilename($file) +{ + $file = preg_replace("([^\w\s\d\-_~,;\[\]\(\).])", '', $file); + // Replace ".." with "." to provent problems + $file = preg_replace("([\.]{2,})", '.', $file); + + return $file; +} + + ///////////////////////////////////////////////////////////////////////////// diff --git a/www/jqupload.php b/www/jqupload.php index ea51d9e1d..b155b6bbd 100644 --- a/www/jqupload.php +++ b/www/jqupload.php @@ -18,6 +18,7 @@ ////////////////////////////////////////////////////////////////////////////// $skipJSsettings = 1; // need this so config doesn't print out JavaScrip arrays require_once('config.php'); +require_once('common.php'); $output_dir = $uploadDirectory . "/"; @@ -36,7 +37,7 @@ //If Any browser does not support serializing of multiple files using FormData() if(!is_array($_FILES["myfile"]["name"])) //single file { - $fileName = $_FILES["myfile"]["name"]; + $fileName = sanitizeFilename($_FILES["myfile"]["name"]); move_uploaded_file($_FILES["myfile"]["tmp_name"],$output_dir.$fileName); $ret[]= $fileName; } @@ -45,7 +46,7 @@ $fileCount = count($_FILES["myfile"]["name"]); for($i=0; $i < $fileCount; $i++) { - $fileName = $_FILES["myfile"]["name"][$i]; + $fileName = sanitizeFilename($_FILES["myfile"]["name"][$i]); move_uploaded_file($_FILES["myfile"]["tmp_name"][$i],$output_dir.$fileName); $ret[]= $fileName; }