luos/workflow/engine/methods/processes/processes_GetFile.php

<?php
global $RBAC;
$RBAC->allows(basename(__FILE__), $_GET['MAIN_DIRECTORY']);

$mainDirectory = !empty($_GET['MAIN_DIRECTORY']) ? $_GET['MAIN_DIRECTORY'] : '';
$proUid = !empty($_GET['PRO_UID']) ? $_GET['PRO_UID'] : '';
$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? $_GET['CURRENT_DIRECTORY'] . PATH_SEP : '';
$file = !empty($_GET['FILE']) ? $_GET['FILE'] : '';
$extension = (!empty($_GET['sFilextension']) && $_GET['sFilextension'] === 'javascript') ? '.js' : '';

// Validate the main directory
switch ($mainDirectory) {
    case 'mailTemplates':
        $directory = PATH_DATA_MAILTEMPLATES;
        break;
    case 'public':
        $directory = PATH_DATA_PUBLIC;
        break;
    default:
        die();
        break;
}

// Validate if process exists, an exception is throwed if not exists
$process = new Process();
$process->load($proUid);

// Validate directory and file requested
$filter = new InputFilter();
$currentDirectory = $filter->validatePath($currentDirectory);
$file = $filter->validatePath($file);

// Build requested path
$directory .= $proUid . PATH_SEP . $currentDirectory;
$file .= $extension;

// Stream the file if path exists
if (file_exists($directory . $file)) {
    G::streamFile($directory . $file, true);
}
CODE STYLE workflow/engine/methods/processes/process_Delete.php workflow/engine/methods/processes/processes_DeleteObjectPermission.php workflow/engine/methods/processes/processes_doUpload.php workflow/engine/methods/processes/processes_DownloadFile.php workflow/engine/methods/processes/processes_DownloadFileXpdl.php workflow/engine/methods/processes/processes_checkProperties.php workflow/engine/methods/processes/processes_Export.php workflow/engine/methods/processes/processes_GetFile.php workflow/engine/methods/processes/processes_Import.php workflow/engine/methods/processes/processes_Import_Ajax.php 2012-10-17 12:03:40 -04:00			`<?php`
HOR-3858 Unauthenticated download of any file from server with "processes/processes_GetFile" page + Path Traversal - Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC - exists process uid 2017-10-10 16:18:22 -04:00			`global $RBAC;`
			`$RBAC->allows(basename(__FILE__), $_GET['MAIN_DIRECTORY']);`

			`$mainDirectory = !empty($_GET['MAIN_DIRECTORY']) ? $_GET['MAIN_DIRECTORY'] : '';`
			`$proUid = !empty($_GET['PRO_UID']) ? $_GET['PRO_UID'] : '';`
PMC-398 2019-01-16 12:21:17 -04:00			`$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? $_GET['CURRENT_DIRECTORY'] . PATH_SEP : '';`
			`$file = !empty($_GET['FILE']) ? $_GET['FILE'] : '';`
HOR-3858 Unauthenticated download of any file from server with "processes/processes_GetFile" page + Path Traversal - Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC - exists process uid 2017-10-10 16:18:22 -04:00			`$extension = (!empty($_GET['sFilextension']) && $_GET['sFilextension'] === 'javascript') ? '.js' : '';`

PMC-398 2019-01-16 12:21:17 -04:00			`// Validate the main directory`
HOR-3858 Unauthenticated download of any file from server with "processes/processes_GetFile" page + Path Traversal - Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC - exists process uid 2017-10-10 16:18:22 -04:00			`switch ($mainDirectory) {`
CODE STYLE workflow/engine/methods/processes/process_Delete.php workflow/engine/methods/processes/processes_DeleteObjectPermission.php workflow/engine/methods/processes/processes_doUpload.php workflow/engine/methods/processes/processes_DownloadFile.php workflow/engine/methods/processes/processes_DownloadFileXpdl.php workflow/engine/methods/processes/processes_checkProperties.php workflow/engine/methods/processes/processes_Export.php workflow/engine/methods/processes/processes_GetFile.php workflow/engine/methods/processes/processes_Import.php workflow/engine/methods/processes/processes_Import_Ajax.php 2012-10-17 12:03:40 -04:00			`case 'mailTemplates':`
HOR-3858 Unauthenticated download of any file from server with "processes/processes_GetFile" page + Path Traversal - Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC - exists process uid 2017-10-10 16:18:22 -04:00			`$directory = PATH_DATA_MAILTEMPLATES;`
CODE STYLE workflow/engine/methods/processes/process_Delete.php workflow/engine/methods/processes/processes_DeleteObjectPermission.php workflow/engine/methods/processes/processes_doUpload.php workflow/engine/methods/processes/processes_DownloadFile.php workflow/engine/methods/processes/processes_DownloadFileXpdl.php workflow/engine/methods/processes/processes_checkProperties.php workflow/engine/methods/processes/processes_Export.php workflow/engine/methods/processes/processes_GetFile.php workflow/engine/methods/processes/processes_Import.php workflow/engine/methods/processes/processes_Import_Ajax.php 2012-10-17 12:03:40 -04:00			`break;`
			`case 'public':`
HOR-3858 Unauthenticated download of any file from server with "processes/processes_GetFile" page + Path Traversal - Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC - exists process uid 2017-10-10 16:18:22 -04:00			`$directory = PATH_DATA_PUBLIC;`
CODE STYLE workflow/engine/methods/processes/process_Delete.php workflow/engine/methods/processes/processes_DeleteObjectPermission.php workflow/engine/methods/processes/processes_doUpload.php workflow/engine/methods/processes/processes_DownloadFile.php workflow/engine/methods/processes/processes_DownloadFileXpdl.php workflow/engine/methods/processes/processes_checkProperties.php workflow/engine/methods/processes/processes_Export.php workflow/engine/methods/processes/processes_GetFile.php workflow/engine/methods/processes/processes_Import.php workflow/engine/methods/processes/processes_Import_Ajax.php 2012-10-17 12:03:40 -04:00			`break;`
			`default:`
			`die();`
			`break;`
			`}`
BUG 6589:I have been able to reproduce the issue, to solve this issue I have added a piece of code to allow to download this type of file 2011-03-30 10:38:49 -04:00
PMC-398 2019-01-16 12:21:17 -04:00			`// Validate if process exists, an exception is throwed if not exists`
			`$process = new Process();`
			`$process->load($proUid);`

			`// Validate directory and file requested`
			`$filter = new InputFilter();`
			`$currentDirectory = $filter->validatePath($currentDirectory);`
			`$file = $filter->validatePath($file);`

			`// Build requested path`
- sanitize field current_directory 2017-10-11 13:26:34 -04:00			`$directory .= $proUid . PATH_SEP . $currentDirectory;`
HOR-3858 Unauthenticated download of any file from server with "processes/processes_GetFile" page + Path Traversal - Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC - exists process uid 2017-10-10 16:18:22 -04:00			`$file .= $extension;`

PMC-398 2019-01-16 12:21:17 -04:00			`// Stream the file if path exists`
HOR-3858 Unauthenticated download of any file from server with "processes/processes_GetFile" page + Path Traversal - Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC - exists process uid 2017-10-10 16:18:22 -04:00			`if (file_exists($directory . $file)) {`
			`G::streamFile($directory . $file, true);`
BUG 6589:I have been able to reproduce the issue, to solve this issue I have added a piece of code to allow to download this type of file 2011-03-30 10:38:49 -04:00			`}`