Merged in paulis/processmaker/PM-VERACODE-15 (pull request #1794)

I solved some issues with Directory traversal
2015-03-30 11:56:28 -04:00
parent f2e8028ed2 576c83d738
commit 2bcbbd29e7
11 changed files with 70 additions and 17 deletions
--- a/gulliver/system/class.dbMaintenance.php
+++ b/gulliver/system/class.dbMaintenance.php
@@ -502,7 +502,7 @@ class DataBaseMaintenance
            $data .= ");\n";
        }
-        $data = $filter->xssFilterHard($data);
+        $data = $filter->preventSqlInjection($data);
        printf( "%-59s%20s", "Dump of table $table", strlen( $data ) . " Bytes Saved\n" );
        return $data;
    }
--- a/workflow/engine/classes/class.dynaformEditor.php
+++ b/workflow/engine/classes/class.dynaformEditor.php
@@ -515,6 +515,8 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
     */
    public function restore_html($A)
    {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $script = null;
        $fileTmp = G::decrypt($A, URL_KEY);
        $form = new Form($fileTmp, PATH_DYNAFORM, SYS_LANG, true);
@@ -527,10 +529,11 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
        $form->enableTemplate = false;
        $html = $form->printTemplate($form->template, $script);
        $html = str_replace('{$form_className}', 'formDefault', $html);
-        if (file_exists(PATH_DYNAFORM . $fileTmp . '.html')) {
+        $pathTmp = $filter->xssFilterHard(PATH_DYNAFORM . $fileTmp . '.html', 'path');
-            unlink(PATH_DYNAFORM . $fileTmp . '.html');
+        if (file_exists($pathTmp)) {
            unlink($pathTmp);
        }
-        $fp = fopen(PATH_DYNAFORM . $fileTmp . '.html', 'w');
+        $fp = fopen($pathTmp, 'w');
        fwrite($fp, $html);
        fclose($fp);
@@ -546,6 +549,8 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
    public function set_htmlcode($A, $htmlcode)
    {
        try {
            G::LoadSystem('inputfilter');
            $filter = new InputFilter();
            $iOcurrences = preg_match_all('/\{\$.*?\}/im', $htmlcode, $matches);
            if ($iOcurrences) {
                if (isset($matches[0])) {
@@ -561,6 +566,7 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
            $file = G::decrypt($A, URL_KEY);
            $form = new Form($file, PATH_DYNAFORM, SYS_LANG, true);
            $filename = substr($form->fileName, 0, - 3) . ($form->type === 'xmlform' ? '' : '.' . $form->type) . 'html';
            $filename = $filter->xssFilterHard($filename, 'path');
            $fp = fopen($filename, 'w');
            fwrite($fp, $htmlcode);
            fclose($fp);
@@ -598,10 +604,13 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
     */
    public function set_xmlcode($A, $xmlcode)
    {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $xmlcode = urldecode($xmlcode);
        $file = G::decrypt($A, URL_KEY);
        $xmlcode = str_replace('&nbsp;', ' ', trim($xmlcode));
-        $fp = fopen(PATH_DYNAFORM . $file . '.xml', 'w');
+        $pathFile = $filter->xssFilterHard(PATH_DYNAFORM . $file . '.xml', "path");
        $fp = fopen($pathFile, 'w');
        fwrite($fp, $xmlcode);
        fclose($fp);
        return "";
@@ -647,6 +656,9 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
     */
    public function set_javascript($A, $fieldName, $sCode, $meta = '')
    {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $fieldName = $filter->xssFilterHard($fieldName, 'path');
        if ($fieldName == '___pm_boot_strap___') {
            return 0;
        }
@@ -661,8 +673,8 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
             */
            G::LoadSystem('dynaformhandler');
-
+            $pathFile = $filter->xssFilterHard(PATH_DYNAFORM . "{$file}.xml", 'path');
-            $dynaform = new dynaFormHandler(PATH_DYNAFORM . "{$file}.xml");
+            $dynaform = new dynaFormHandler($pathFile);
            $dynaform->replace($fieldName, $fieldName, Array('type' => 'javascript', 'meta' => $meta, '#cdata' => $sCode
            ));
@@ -716,6 +728,8 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
    public function set_properties($A, $DYN_UID, $getFields)
    {
        try {
            G::LoadSystem('inputfilter');
            $filter = new InputFilter();
            $post = array();
            parse_str($getFields, $post);
            $Fields = $post['form'];
@@ -729,8 +743,9 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
                $tmp['Properties'] = $Fields;
                self::_setTmpData($tmp);
            }
-            $dynaform = new dynaFormHandler(PATH_DYNAFORM . "{$file}.xml");
+            $pathFile = $filter->xssFilterHard(PATH_DYNAFORM . "{$file}.xml", 'path');
-            $dbc2 = new DBConnection(PATH_DYNAFORM . $file . '.xml', '', '', '', 'myxml');
+            $dynaform = new dynaFormHandler($pathFile);
            $dbc2 = new DBConnection($pathFile, '', '', '', 'myxml');
            $ses2 = new DBSession($dbc2);
            //if (!isset($Fields['ENABLETEMPLATE'])) $Fields['ENABLETEMPLATE'] ="0";
@@ -791,13 +806,15 @@ class dynaformEditorAjax extends dynaformEditor implements iDynaformEditorAjax
     */
    public function set_enabletemplate($A, $value)
    {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $file = G::decrypt($A, URL_KEY);
        $value = $value == "1" ? "1" : "0";
        // $dbc2 = new DBConnection( PATH_DYNAFORM . $file . '.xml', '', '', '', 'myxml' );
        // $ses2 = new DBSession( $dbc2 );
        // $ses2->execute( "UPDATE . SET ENABLETEMPLATE = '$value'" );
-
+        $pathFile = $filter->xssFilterHard(PATH_DYNAFORM . "{$file}.xml", 'path');
-        $dynaform = new dynaFormHandler(PATH_DYNAFORM . "{$file}.xml");
+        $dynaform = new dynaFormHandler($pathFile);
        $dynaform->modifyHeaderAttribute('enabletemplate', $value);
        return $value;
--- a/workflow/engine/classes/class.system.php
+++ b/workflow/engine/classes/class.system.php
@@ -281,11 +281,14 @@ class System
     */
    public function verifyFileForUpgrade ()
    {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $upgradeFilename = isset( $_FILES['form']['name']['UPGRADE_FILENAME'] ) ? $_FILES['form']['name']['UPGRADE_FILENAME'] : '';
        $tempFilename = isset( $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] ) ? $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] : '';
        $this->sRevision = str_replace( '.tar.gz', '', str_replace( 'pmos-patch-', '', $upgradeFilename ) );
        $sTemFilename = $tempFilename;
-        $this->sFilename = PATH_DATA . 'upgrade' . PATH_SEP . $upgradeFilename;
+        $pathFile = $filter->xssFilterHard(PATH_DATA . 'upgrade' . PATH_SEP . $upgradeFilename, 'path');
        $this->sFilename = $pathFile;
        $this->sPath = dirname( $this->sFilename ) . PATH_SEP;
        G::mk_dir( PATH_DATA . 'upgrade' );
        if (! move_uploaded_file( $sTemFilename, $this->sFilename )) {
@@ -615,8 +618,12 @@ class System
            }
        }
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        //clean up xmlform folders
        $sDir = PATH_C . 'xmlform';
        $sDir = $filter->xssFilterHard($sDir, 'path');
        if (file_exists( $sDir ) && is_dir( $sDir )) {
            $oDirectory = dir( $sDir );
            while ($sObjectName = $oDirectory->read()) {
@@ -729,8 +736,11 @@ class System
     */
    public static function getPluginSchema ($pluginName)
    {
-        if (file_exists( PATH_PLUGINS . $pluginName . "/config/schema.xml" )) {
+        G::LoadSystem('inputfilter');
-            return System::getSchema( PATH_PLUGINS . $pluginName . "/config/schema.xml" );
+        $filter = new InputFilter();
        $pathFile = $filter->xssFilterHard(PATH_PLUGINS . $pluginName . "/config/schema.xml", 'path');
        if (file_exists( $pathFile )) {
            return System::getSchema( $pathFile );
        } else {
            return false;
        }
--- a/workflow/engine/classes/class.wsTools.php
+++ b/workflow/engine/classes/class.wsTools.php
@@ -1387,6 +1387,9 @@ class workspaceTools
    static public function dirPerms($filename, $owner, $group, $perms)
    {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $filename = $filter->xssFilterHard($filename, 'path');
        $chown = @chown($filename, $owner);
        $chgrp = @chgrp($filename, $group);
        $chmod = @chmod($filename, $perms);
--- a/workflow/engine/controllers/pmTablesProxy.php
+++ b/workflow/engine/controllers/pmTablesProxy.php
@@ -666,9 +666,12 @@ class pmTablesProxy extends HttpProxyController
        public function importCSV ($httpData)
    {
        G::LoadClass('pmFunctions');
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $countRow = 250;
        if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
            $filename = $_FILES['form']['name']['CSV_FILE'];
            $filename = $filter->xssFilterHard($filename, 'path');
            if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
                require_once 'classes/model/AdditionalTables.php';
                $oAdditionalTables = new AdditionalTables();
@@ -762,8 +765,11 @@ class pmTablesProxy extends HttpProxyController
     */
    public function importCSVDeprecated ($httpData)
    {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) {
            $filename = $_FILES['form']['name']['CSV_FILE'];
            $filename = $filter->xssFilterHard($filename, 'path');
            if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) {
                require_once 'classes/model/AdditionalTables.php';
                $oAdditionalTables = new AdditionalTables();
--- a/workflow/engine/methods/cases/casesStreamingFile.php
+++ b/workflow/engine/methods/cases/casesStreamingFile.php
@@ -54,6 +54,9 @@ exit;
 function rangeDownload($location,$mimeType)
 {
    G::LoadSystem('inputfilter');
    $filter = new InputFilter();
    $location = $filter->xssFilterHard($location, "path");
    if (!file_exists($location))
    {
        header ("HTTP/1.0 404 Not Found");
--- a/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php
+++ b/workflow/engine/methods/dynaforms/dynaforms_FlatEditor.php
@@ -33,6 +33,8 @@ G::LoadClass( 'dynaFormField' );
 G::LoadClass( 'process' );
 G::LoadClass( 'dynaform' );
 //G::LoadClass('configuration');
 G::LoadSystem('inputfilter');
 $filter = new InputFilter();
 $G_MAIN_MENU = 'processmaker';
@@ -73,9 +75,10 @@ if (! file_exists( PATH_DYNAFORM . $file . '.xml' )) {
 /* End Comment */
  /* Start Comment: Create and temporal copy. */
-  $copy = implode( '', file( PATH_DYNAFORM . $file . '.xml' ) );
+$pathFile = $filter->xssFilterHard(PATH_DYNAFORM . $file . '.xml', 'path');
 $copy = implode( '', file( $pathFile ) );
 $file .= '_tmp0';
-$fcopy = fopen( PATH_DYNAFORM . $file . '.xml', "w" );
+$fcopy = fopen( $pathFile , "w" );
 fwrite( $fcopy, $copy );
 fclose( $fcopy );
 /* End Comment */
--- a/workflow/engine/methods/dynaforms/dynaforms_Save_as.php
+++ b/workflow/engine/methods/dynaforms/dynaforms_Save_as.php
@@ -36,6 +36,8 @@ if (! class_exists( "FieldCondition" )) {
 try {
    G::LoadSystem('inputfilter');
    $filter = new InputFilter();
    $frm = $_POST['form'];
    $PRO_UID = $frm['PRO_UID'];
    $DYN_UID = $frm['DYN_UID'];
@@ -62,6 +64,7 @@ try {
    $hd = fopen( PATH_DYNAFORM . $PRO_UID . '/' . $DYN_UID . '.xml', "r" );
    $hd1 = fopen( PATH_DYNAFORM . $PRO_UID . '/' . $dynUid . '.xml', "w" );
    $templateFilename = PATH_DYNAFORM . $PRO_UID . '/' . $DYN_UID . '.html';
    $templateFilename = $filter->xssFilterHard($templateFilename, 'path');
    // also make a copy of the template file in case that the html edition is enabled
    if (file_exists( $templateFilename )) {
--- a/workflow/engine/methods/setup/languages_Import.php
+++ b/workflow/engine/methods/setup/languages_Import.php
@@ -56,10 +56,12 @@ try {
    $sMaxExecutionTime = ini_get( 'max_execution_time' );
    ini_set( 'max_execution_time', '0' );
    G::LoadClass( 'configuration' );
    G::LoadSystem('inputfilter');
    $filter = new InputFilter();
    $languageFile = $_FILES['form']['tmp_name']['LANGUAGE_FILENAME'];
    $languageFilename = $_FILES['form']['name']['LANGUAGE_FILENAME'];
-
+    $languageFilename = $filter->xssFilterHard($languageFilename, 'path');
    if (substr_compare( $languageFilename, ".gz", - 3, 3, true ) == 0) {
        $zp = gzopen( $languageFile, "r" );
        $languageFile = tempnam( __FILE__, '' );
--- a/workflow/engine/methods/setup/skin_Ajax.php
+++ b/workflow/engine/methods/setup/skin_Ajax.php
@@ -320,6 +320,8 @@ function importSkin ()
 function exportSkin ($skinToExport = "")
 {
    try {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        if (! isset( $_REQUEST['SKIN_FOLDER_ID'] )) {
            throw (new Exception( G::LoadTranslation( 'ID_SKIN_NAME_REQUIRED' ) ));
        }
@@ -329,6 +331,7 @@ function exportSkin ($skinToExport = "")
        $skinFolderBase = PATH_CUSTOM_SKINS . $skinName;
        $skinFolder = $skinFolderBase . PATH_SEP;
        $skinTar = PATH_CUSTOM_SKINS . $skinName . '.tar';
        $skinTar = $filter->xssFilterHard($skinTar, 'path');
        if (! is_dir( $skinFolder )) {
            throw (new Exception( G::LoadTranslation( 'ID_SKIN_DOESNT_EXIST' ) ));
        }
--- a/workflow/engine/methods/users/users_ViewPhoto.php
+++ b/workflow/engine/methods/users/users_ViewPhoto.php
@@ -91,6 +91,9 @@ function DumpHeaders ($filename)
    }
    //$filename = PATH_UPLOAD . "$filename";
    G::LoadSystem('inputfilter');
    $filter = new InputFilter();
    $filename = $filter->xssFilterHard($filename, 'path');
    readfile( $filename );
 }