run Form::processForm() when importing settings so the same validatio…

…ns apply if the import file has malicious content Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
froxlor · Feb 7, 2023 · aa48ffc · aa48ffc
1 parent 802168c
commit aa48ffc
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 60 deletions.
diff --git a/lib/Froxlor/Froxlor.php b/lib/Froxlor/Froxlor.php
@@ -89,7 +89,7 @@ public static function getFullVersion(): string
 	 *
 	 * @return bool true if version to check does not match, else false
 	 */
-	public static function hasUpdates(string $to_check): bool
+	public static function hasUpdates(string $to_check = ''): bool
 	{
 		if (empty($to_check)) {
 			$to_check = self::VERSION;
@@ -109,7 +109,7 @@ public static function hasUpdates(string $to_check): bool
 	 *
 	 * @return bool true if version to check does not match, else false
 	 */
-	public static function hasDbUpdates(string $to_check): bool
+	public static function hasDbUpdates(string $to_check = ''): bool
 	{
 		if (empty($to_check)) {
 			$to_check = self::DBVERSION;

diff --git a/lib/Froxlor/SImExporter.php b/lib/Froxlor/SImExporter.php
@@ -27,6 +27,7 @@
 
 use Exception;
 use Froxlor\Database\Database;
+use Froxlor\UI\Form;
 use PDO;
 
 /**
@@ -79,14 +80,16 @@ public static function export()
 				$_data[$index] = $row['value'];
 			}
 
-			if (array_key_exists($row['settinggroup'], $settings_definitions) && array_key_exists($row['varname'], $settings_definitions[$row['settinggroup']])) {
+			if (array_key_exists($row['settinggroup'], $settings_definitions) && array_key_exists($row['varname'],
+					$settings_definitions[$row['settinggroup']])) {
 				// Export image file
 				if ($settings_definitions[$row['settinggroup']][$row['varname']]['type'] === "image") {
 					if ($row['value'] === "") {
 						continue;
 					}
 
-					$_data[$index . '.image_data'] = base64_encode(file_get_contents(explode('?', $row['value'], 2)[0]));
+					$_data[$index . '.image_data'] = base64_encode(file_get_contents(explode('?', $row['value'],
+						2)[0]));
 				}
 			}
 		}
@@ -140,66 +143,35 @@ public static function import($json_str = null)
 					$_data['system.le_froxlor_redirect'] = 0;
 				}
 			}
-			// store new data
-			foreach ($_data as $index => $value) {
-				$index_split = explode('.', $index, 3);
-
-				// Catch image_data and save it
-				if (isset($index_split[2]) && $index_split[2] === 'image_data' && !empty($_data[$index_split[0] . '.' . $index_split[1]])) {
-					$path = Froxlor::getInstallDir() . '/img/';
-					if (!is_dir($path) && !mkdir($path, 0775)) {
-						throw new Exception("img directory does not exist and cannot be created");
-					}
-
-					// Make sure we can write to the upload directory
-					if (!is_writable($path)) {
-						if (!chmod($path, 0775)) {
-							throw new Exception("Cannot write to img directory");
-						}
-					}
-
-					$img_data = base64_decode($value);
-					$img_filename = Froxlor::getInstallDir() . '/' . str_replace('../', '', explode('?', $_data[$index_split[0] . '.' . $index_split[1]], 2)[0]);
 
-					file_put_contents($img_filename, $img_data);
-
-					if (function_exists('finfo_open')) {
-						$finfo = finfo_open(FILEINFO_MIME_TYPE);
-						$mimetype = finfo_file($finfo, $img_filename);
-						finfo_close($finfo);
-					} else {
-						$mimetype = mime_content_type($img_filename);
-					}
-					if (empty($mimetype)) {
-						$mimetype = 'application/octet-stream';
+			$form_data = [];
+			// read in all current settings
+			$current_settings = Settings::getAll();
+			foreach ($current_settings as $setting_group => $setting) {
+				foreach ($setting as $varname => $value) {
+					// set all group/varname:values which are not in the import file
+					if (!isset($_data[$setting_group.'.'.$varname])) {
+						$_data[$setting_group.'.'.$varname] = $value;
 					}
-					if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
-						@unlink($img_filename);
-						throw new Exception("Uploaded file is not a valid image");
-					}
-
-					$spl = explode('.', $img_filename);
-					$file_extension = strtolower(array_pop($spl));
-					unset($spl);
-
-					if (!in_array($file_extension, [
-						'jpeg',
-						'jpg',
-						'png',
-						'gif'
-					])) {
-						@unlink($img_filename);
-						throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
-					}
-					continue;
 				}
+			}
+			// re-format the array-key for Form::processForm
+			foreach ($_data as $key => $value) {
+				$form_data[str_replace(".", "_", $key)] = $value;
+			}
 
-				Settings::Set($index, $value);
+			// store new data
+			$settings_data = PhpHelper::loadConfigArrayDir(Froxlor::getInstallDir() . '/actions/admin/settings/');
+			Settings::loadSettingsInto($settings_data);
+
+			if (Form::processForm($settings_data, $form_data, [], null, true)) {
+				// save to DB
+				Settings::Flush();
+				// all good
+				return true;
+			} else {
+				throw new Exception("Importing settings failed");
 			}
-			// save to DB
-			Settings::Flush();
-			// all good
-			return true;
 		}
 		throw new Exception("Invalid JSON data: " . json_last_error_msg());
 	}

diff --git a/lib/Froxlor/Settings.php b/lib/Froxlor/Settings.php
@@ -329,6 +329,12 @@ public static function loadSettingsInto(&$settings_data)
 		}
 	}
 
+	public static function getAll() : array
+	{
+		self::init();
+		return self::$data;
+	}
+
 	/**
 	 * get value from config by identifier
 	 */

diff --git a/lib/Froxlor/UI/Form.php b/lib/Froxlor/UI/Form.php
@@ -203,7 +203,7 @@ public static function prefetchFormFieldData($fieldname, $fielddata)
 		return $returnvalue;
 	}
 
-	public static function processForm(&$form, &$input, $url_params = [], $part = null, $settings_all = [], $settings_part = null, $only_enabledisable = false)
+	public static function processForm(&$form, &$input, $url_params = [], $part = null, bool $settings_all = false, $settings_part = null, bool $only_enabledisable = false)
 	{
 		if (\Froxlor\Validate\Form::validateFormDefinition($form)) {
 			$submitted_fields = [];