Checking of remote file-types during import and other cleanup.

e107inc · Dec 17, 2021 · 90108ea · 90108ea
1 parent d8ce385
commit 90108ea
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 9 deletions.
diff --git a/e107_admin/image.php b/e107_admin/image.php
@@ -2486,7 +2486,11 @@ function processUploadUrl($import = false, $cat='_common')
 				$fileName = empty($uploadCaption) ? str_replace(array('.php', '.html', '.asp', '.htm'),'',$fileName). '_' .time() : eHelper::dasherize(strtolower($uploadCaption));
 			}
 
-			if(!$fl->getRemoteFile($tp->filter($_POST['upload_url'], 'url'), $fileName, 'import'))
+			if(!$fl->isAllowedType($_POST['upload_url']))
+			{
+				$mes->addError(defset('IMALAN_190', "Importing of this file-type is not allowed."));
+			}
+			elseif(!$fl->getRemoteFile($tp->filter($_POST['upload_url'], 'url'), $fileName, 'import'))
 			{
 				$mes->addError(IMALAN_176);
 			}

diff --git a/e107_handlers/comment_class.php b/e107_handlers/comment_class.php
@@ -271,7 +271,7 @@ function form_comment($action, $table, $id, $subject, $content_type, $return = F
 			$text = "\n<div{$indent}>\n".e107::getMessage()->render('postcomment', true, false);//temporary here
 
 		//	$text .= "Indent = ".$indent;
-			$text .= "<form id='{$formid}' method='post' action='".str_replace('http:', '', $_SERVER['REQUEST_URI'])."'  >";	
+			$text .= "<form id='{$formid}' method='post' action='".str_replace('http:', '', e_REQUEST_URI)."'  >";
 
 			$data = array(
 				'action'	=> $action,

diff --git a/e107_handlers/file_class.php b/e107_handlers/file_class.php
@@ -2177,7 +2177,7 @@ function isClean($filename, $target_name = '', $allowed_filetypes = array(), $un
 
 		/**
 		 * New in v2.1.9
-		 * Check filename or path against filetypes.xml
+		 * Check filename, path or URL against filetypes.xml
 		 *
 		 * @param        $file - real path to file.
 		 * @param string $targetFile
@@ -2191,12 +2191,26 @@ public function isAllowedType($file, $targetFile = '')
 				$targetFile = $file;
 			}
 
+			$remote = false;
+
+			if(strpos($targetFile,'http') === 0) // remote file.
+			{
+				$tmp = parse_url($targetFile);
+				$targetFile = $tmp['path'];
+				$remote = true;
+			}
+
 			$ext = pathinfo($targetFile, PATHINFO_EXTENSION);
 
 			$types = $this->getAllowedFileTypes();
 
 			if(isset($types[$ext]))
 			{
+				if($remote)
+				{
+					return true;
+				}
+
 				$maxSize = $types[$ext] * 1024;
 				$fileSize = filesize($file);
 

diff --git a/e107_languages/English/admin/help/menus.php b/e107_languages/English/admin/help/menus.php
@@ -27,7 +27,7 @@
 		{
 			$sql->select("menus","*", "menu_location='".$mc."' ORDER BY menu_order");
 			$count = 1;
-			$sql2 = new db;
+			$sql2 = e107::getDb('sql2');
 			while(list($menu_id, $menu_name, $menu_location, $menu_order) = $sql->fetch())
 			{
 				$sql2 ->update("menus", "menu_order='$count' WHERE menu_id='$menu_id' ");
@@ -48,7 +48,7 @@
 If you find the menus are not updating correctly, clicking the refresh button below may help. 
 
 [html]
-<form method='post' id='menurefresh' action='".$_SERVER['PHP_SELF']."'>
+<form method='post' id='menurefresh' action='".e_SELF."'>
 <div>
 ".$frm->admin_button('reset','Refresh','cancel')."</div>
 </form>
@@ -58,4 +58,4 @@
 ";
 
 $text = $tp->toHTML($text, true);
-$ns->tablerender("Menu Manager Help", $text);
+e107::getRender()->tablerender("Menu Manager Help", $text);
diff --git a/e107_languages/English/admin/lan_image.php b/e107_languages/English/admin/lan_image.php
@@ -214,4 +214,5 @@
 
 define("IMALAN_187", "Convert to webp during import");
 define("IMALAN_188", "Convert to webp during render");
-define("IMALAN_189", "JPEG, PNG and GIF files will be automatically converted to webp format. (icons excluded)");
+define("IMALAN_189", "JPEG, PNG and GIF files will be automatically converted to webp format. (icons excluded)");
+define("IMALAN_190", "Importing of this file-type is not allowed.");
diff --git a/e107_tests/tests/unit/e_fileTest.php b/e107_tests/tests/unit/e_fileTest.php
@@ -152,8 +152,14 @@ public function testIsAllowedType()
 
 		$isAllowedTest = array(
 			array('path'=> 'somefile.bla',                          'expected' => false), // suspicious
-			array('path'=> e_SYSTEM."filetypes.xml",                 'expected' => true), // okay
-			array('path'=> e_PLUGIN."gallery/images/butterfly.jpg",  'expected' => true), // okay
+			array('path'=> 'somefile.php',                          'expected' => false), // suspicious
+			array('path'=> 'somefile.exe',                          'expected' => false), // suspicious
+			array('path'=> e_SYSTEM."filetypes.xml",                 'expected' => true), // permitted
+			array('path'=> e_PLUGIN."gallery/images/butterfly.jpg",  'expected' => true), // permitted
+			array('path'=> 'http://127.0.0.1:8070/file.svg',        'expected'=>false), // not permitted
+			array('path'=> 'http://127.0.0.1:8070/butterfly.jpg',   'expected'=>true), // permitted
+			array('path'=> 'http://127.0.0.1/bla.php',              'expected'=>false), // suspicious
+			array('path'=> 'http://127.0.0.1/bla.php?butterfly.jpg',   'expected'=>false), // suspicious
 		);
 
 		foreach($isAllowedTest as $file)