From 90108eab3c8c7667d3a2560acf97f40dbe4fd3b3 Mon Sep 17 00:00:00 2001 From: Cameron Date: Fri, 17 Dec 2021 11:31:37 -0800 Subject: [PATCH] Checking of remote file-types during import and other cleanup. --- e107_admin/image.php | 6 +++++- e107_handlers/comment_class.php | 2 +- e107_handlers/file_class.php | 16 +++++++++++++++- e107_languages/English/admin/help/menus.php | 6 +++--- e107_languages/English/admin/lan_image.php | 3 ++- e107_tests/tests/unit/e_fileTest.php | 10 ++++++++-- 6 files changed, 34 insertions(+), 9 deletions(-) diff --git a/e107_admin/image.php b/e107_admin/image.php index b4e4c8fa00..bf6d072b8c 100644 --- a/e107_admin/image.php +++ b/e107_admin/image.php @@ -2486,7 +2486,11 @@ function processUploadUrl($import = false, $cat='_common') $fileName = empty($uploadCaption) ? str_replace(array('.php', '.html', '.asp', '.htm'),'',$fileName). '_' .time() : eHelper::dasherize(strtolower($uploadCaption)); } - if(!$fl->getRemoteFile($tp->filter($_POST['upload_url'], 'url'), $fileName, 'import')) + if(!$fl->isAllowedType($_POST['upload_url'])) + { + $mes->addError(defset('IMALAN_190', "Importing of this file-type is not allowed.")); + } + elseif(!$fl->getRemoteFile($tp->filter($_POST['upload_url'], 'url'), $fileName, 'import')) { $mes->addError(IMALAN_176); } diff --git a/e107_handlers/comment_class.php b/e107_handlers/comment_class.php index 26fdcea000..9319b101d9 100644 --- a/e107_handlers/comment_class.php +++ b/e107_handlers/comment_class.php @@ -271,7 +271,7 @@ function form_comment($action, $table, $id, $subject, $content_type, $return = F $text = "\n\n".e107::getMessage()->render('postcomment', true, false);//temporary here // $text .= "Indent = ".$indent; - $text .= "
"; + $text .= ""; $data = array( 'action' => $action, diff --git a/e107_handlers/file_class.php b/e107_handlers/file_class.php index 3df71e1d71..d18b9d2029 100644 --- a/e107_handlers/file_class.php +++ b/e107_handlers/file_class.php @@ -2177,7 +2177,7 @@ function isClean($filename, $target_name = '', $allowed_filetypes = array(), $un /** * New in v2.1.9 - * Check filename or path against filetypes.xml + * Check filename, path or URL against filetypes.xml * * @param $file - real path to file. * @param string $targetFile @@ -2191,12 +2191,26 @@ public function isAllowedType($file, $targetFile = '') $targetFile = $file; } + $remote = false; + + if(strpos($targetFile,'http') === 0) // remote file. + { + $tmp = parse_url($targetFile); + $targetFile = $tmp['path']; + $remote = true; + } + $ext = pathinfo($targetFile, PATHINFO_EXTENSION); $types = $this->getAllowedFileTypes(); if(isset($types[$ext])) { + if($remote) + { + return true; + } + $maxSize = $types[$ext] * 1024; $fileSize = filesize($file); diff --git a/e107_languages/English/admin/help/menus.php b/e107_languages/English/admin/help/menus.php index 61d617b4c3..1dfec241f3 100644 --- a/e107_languages/English/admin/help/menus.php +++ b/e107_languages/English/admin/help/menus.php @@ -27,7 +27,7 @@ { $sql->select("menus","*", "menu_location='".$mc."' ORDER BY menu_order"); $count = 1; - $sql2 = new db; + $sql2 = e107::getDb('sql2'); while(list($menu_id, $menu_name, $menu_location, $menu_order) = $sql->fetch()) { $sql2 ->update("menus", "menu_order='$count' WHERE menu_id='$menu_id' "); @@ -48,7 +48,7 @@ If you find the menus are not updating correctly, clicking the refresh button below may help. [html] - +
".$frm->admin_button('reset','Refresh','cancel')."
@@ -58,4 +58,4 @@ "; $text = $tp->toHTML($text, true); -$ns->tablerender("Menu Manager Help", $text); \ No newline at end of file +e107::getRender()->tablerender("Menu Manager Help", $text); \ No newline at end of file diff --git a/e107_languages/English/admin/lan_image.php b/e107_languages/English/admin/lan_image.php index f14ad1a0d5..6eded27a30 100644 --- a/e107_languages/English/admin/lan_image.php +++ b/e107_languages/English/admin/lan_image.php @@ -214,4 +214,5 @@ define("IMALAN_187", "Convert to webp during import"); define("IMALAN_188", "Convert to webp during render"); -define("IMALAN_189", "JPEG, PNG and GIF files will be automatically converted to webp format. (icons excluded)"); \ No newline at end of file +define("IMALAN_189", "JPEG, PNG and GIF files will be automatically converted to webp format. (icons excluded)"); +define("IMALAN_190", "Importing of this file-type is not allowed."); \ No newline at end of file diff --git a/e107_tests/tests/unit/e_fileTest.php b/e107_tests/tests/unit/e_fileTest.php index e7570ee86a..89aeddbca8 100644 --- a/e107_tests/tests/unit/e_fileTest.php +++ b/e107_tests/tests/unit/e_fileTest.php @@ -152,8 +152,14 @@ public function testIsAllowedType() $isAllowedTest = array( array('path'=> 'somefile.bla', 'expected' => false), // suspicious - array('path'=> e_SYSTEM."filetypes.xml", 'expected' => true), // okay - array('path'=> e_PLUGIN."gallery/images/butterfly.jpg", 'expected' => true), // okay + array('path'=> 'somefile.php', 'expected' => false), // suspicious + array('path'=> 'somefile.exe', 'expected' => false), // suspicious + array('path'=> e_SYSTEM."filetypes.xml", 'expected' => true), // permitted + array('path'=> e_PLUGIN."gallery/images/butterfly.jpg", 'expected' => true), // permitted + array('path'=> 'http://127.0.0.1:8070/file.svg', 'expected'=>false), // not permitted + array('path'=> 'http://127.0.0.1:8070/butterfly.jpg', 'expected'=>true), // permitted + array('path'=> 'http://127.0.0.1/bla.php', 'expected'=>false), // suspicious + array('path'=> 'http://127.0.0.1/bla.php?butterfly.jpg', 'expected'=>false), // suspicious ); foreach($isAllowedTest as $file)