From 9a186bf525db8d3586a790e03a6f565bb3a85cc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julio=20Cesar=20Laura=20Avenda=C3=B1o?=
 <juliocesar@processmaker.com>
Date: Wed, 16 Jan 2019 12:21:17 -0400
Subject: [PATCH] PMC-398

---
 workflow/engine/classes/ProcessMap.php        |  28 ++++-
 .../methods/processes/processes_Ajax.php      | 103 ++++++++----------
 .../methods/processes/processes_GetFile.php   |  20 +++-
 3 files changed, 83 insertions(+), 68 deletions(-)

diff --git a/workflow/engine/classes/ProcessMap.php b/workflow/engine/classes/ProcessMap.php
index d6df7fc35..eb7c54390 100644
--- a/workflow/engine/classes/ProcessMap.php
+++ b/workflow/engine/classes/ProcessMap.php
@@ -4211,21 +4211,37 @@ class ProcessMap
         }
     }
 
-    public function downloadFile($sProcessUID, $sMainDirectory, $sCurrentDirectory, $sFile)
+    /**
+     * Stream a file from "mailTemplates" or "public" directory thats belongs to a process
+     *
+     * @param string $processUid
+     * @param string $mainDirectory
+     * @param string $currentDirectory
+     * @param string $file
+     */
+    public function downloadFile($processUid, $mainDirectory, $currentDirectory, $file)
     {
-        switch ($sMainDirectory) {
+        // Validate directory and file requested
+        $filter = new InputFilter();
+        $currentDirectory = $filter->validatePath($currentDirectory);
+        $file = $filter->validatePath($file);
+
+        // Validate the main directory
+        switch ($mainDirectory) {
             case 'mailTemplates':
-                $sDirectory = PATH_DATA_MAILTEMPLATES . $sProcessUID . PATH_SEP . ($sCurrentDirectory != '' ? $sCurrentDirectory . PATH_SEP : '');
+                $sDirectory = PATH_DATA_MAILTEMPLATES . $processUid . PATH_SEP . ($currentDirectory != '' ? $currentDirectory . PATH_SEP : '');
                 break;
             case 'public':
-                $sDirectory = PATH_DATA_PUBLIC . $sProcessUID . PATH_SEP . ($sCurrentDirectory != '' ? $sCurrentDirectory . PATH_SEP : '');
+                $sDirectory = PATH_DATA_PUBLIC . $processUid . PATH_SEP . ($currentDirectory != '' ? $currentDirectory . PATH_SEP : '');
                 break;
             default:
                 die();
                 break;
         }
-        if (file_exists($sDirectory . $sFile)) {
-            G::streamFile($sDirectory . $sFile, true);
+
+        // Stream the file if path exists
+        if (file_exists($sDirectory . $file)) {
+            G::streamFile($sDirectory . $file, true);
         }
     }
 
diff --git a/workflow/engine/methods/processes/processes_Ajax.php b/workflow/engine/methods/processes/processes_Ajax.php
index 6a978a941..fcca140b9 100644
--- a/workflow/engine/methods/processes/processes_Ajax.php
+++ b/workflow/engine/methods/processes/processes_Ajax.php
@@ -1,28 +1,22 @@
 <?php
 
-/**
- * processes_Ajax.php
- *
- * ProcessMaker Open Source Edition
- * Copyright (C) 2004 - 2008 Colosa Inc.23
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
- * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
- * Coral Gables, FL, 33134, USA, or email info@colosa.com.
- */
 try {
+    // Validate the access to the actions of this file
+    if (!empty($_REQUEST['action']) && $_REQUEST['action'] == 'load') {
+        // Validate if exists the session variable "PROCESS", this action is requested from case tracker and running cases
+        $cannotAccess = empty($_SESSION['PROCESS']);
+    } else {
+        // Validate PM_FACTORY permission
+        global $RBAC;
+        $cannotAccess = $RBAC->userCanAccess('PM_FACTORY') !== 1;
+    }
+
+    if ($cannotAccess) {
+        G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
+        G::header( 'Location: ../login/login' );
+        die();
+    }
+
     $filter = new InputFilter();
     $_GET = $filter->xssFilterHard($_GET);
     $_POST = $filter->xssFilterHard($_POST);
@@ -693,41 +687,38 @@ try {
             $_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']);
             global $G_PUBLISH;
             $G_PUBLISH = new Publisher();
-            global $RBAC;
-            if ($RBAC->userCanAccess('PM_FACTORY') == 1) {
-                $app = new Processes();
-                if (!$app->processExists($_REQUEST['pro_uid'])) {
-                    echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED');
-                    die;
-                }
-
-                $sDir = "";
-                if (isset($_REQUEST['MAIN_DIRECTORY'])) {
-                    $_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
-                    $sDir = $_REQUEST['MAIN_DIRECTORY'];
-                }
-                switch ($sDir) {
-                    case 'mailTemplates':
-                        $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
-                        G::auditLog('ProcessFileManager', 'Save template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
-                        break;
-                    case 'public':
-                        $sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
-                        G::auditLog('ProcessFileManager', 'Save public template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
-                        break;
-                    default:
-                        $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
-                        break;
-                }
-                $fp = fopen($sDirectory, 'w');
-                $content = stripslashes($_REQUEST['fcontent']);
-                $content = str_replace("@amp@", "&", $content);
-                $content = base64_decode($content);
-                fwrite($fp, $content);
-                fclose($fp);
-                $sDirectory = $filter->xssFilterHard($sDirectory);
-                echo 'saved: ' . $sDirectory;
+            $app = new Processes();
+            if (!$app->processExists($_REQUEST['pro_uid'])) {
+                echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED');
+                die;
             }
+
+            $sDir = "";
+            if (isset($_REQUEST['MAIN_DIRECTORY'])) {
+                $_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
+                $sDir = $_REQUEST['MAIN_DIRECTORY'];
+            }
+            switch ($sDir) {
+                case 'mailTemplates':
+                    $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
+                    G::auditLog('ProcessFileManager', 'Save template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
+                    break;
+                case 'public':
+                    $sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
+                    G::auditLog('ProcessFileManager', 'Save public template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
+                    break;
+                default:
+                    $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
+                    break;
+            }
+            $fp = fopen($sDirectory, 'w');
+            $content = stripslashes($_REQUEST['fcontent']);
+            $content = str_replace("@amp@", "&", $content);
+            $content = base64_decode($content);
+            fwrite($fp, $content);
+            fclose($fp);
+            $sDirectory = $filter->xssFilterHard($sDirectory);
+            echo 'saved: ' . $sDirectory;
             break;
         case 'getSessid':
             if (isset($_SESSION['USER_LOGGED'])) {
diff --git a/workflow/engine/methods/processes/processes_GetFile.php b/workflow/engine/methods/processes/processes_GetFile.php
index 685519820..df2e559c3 100644
--- a/workflow/engine/methods/processes/processes_GetFile.php
+++ b/workflow/engine/methods/processes/processes_GetFile.php
@@ -4,14 +4,11 @@ $RBAC->allows(basename(__FILE__), $_GET['MAIN_DIRECTORY']);
 
 $mainDirectory = !empty($_GET['MAIN_DIRECTORY']) ? $_GET['MAIN_DIRECTORY'] : '';
 $proUid = !empty($_GET['PRO_UID']) ? $_GET['PRO_UID'] : '';
-$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? realpath($_GET['CURRENT_DIRECTORY']) . PATH_SEP : '';
-$file = !empty($_GET['FILE']) ? realpath($_GET['FILE']) : '';
+$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? $_GET['CURRENT_DIRECTORY'] . PATH_SEP : '';
+$file = !empty($_GET['FILE']) ? $_GET['FILE'] : '';
 $extension = (!empty($_GET['sFilextension']) && $_GET['sFilextension'] === 'javascript') ? '.js' : '';
 
-//validated process exists, return throw if not exists.
-$process = new Process();
-$process->load($proUid);
-
+// Validate the main directory
 switch ($mainDirectory) {
     case 'mailTemplates':
         $directory = PATH_DATA_MAILTEMPLATES;
@@ -24,9 +21,20 @@ switch ($mainDirectory) {
         break;
 }
 
+// Validate if process exists, an exception is throwed if not exists
+$process = new Process();
+$process->load($proUid);
+
+// Validate directory and file requested
+$filter = new InputFilter();
+$currentDirectory = $filter->validatePath($currentDirectory);
+$file = $filter->validatePath($file);
+
+// Build requested path
 $directory .= $proUid . PATH_SEP . $currentDirectory;
 $file .= $extension;
 
+// Stream the file if path exists
 if (file_exists($directory . $file)) {
     G::streamFile($directory . $file, true);
 }