Merged in bugfix/PMC-398 (pull request #6753)

PMC-398 Approved-by: Julio Cesar Laura Avendaño <contact@julio-laura.com> Approved-by: Paula Quispe <paula.quispe@processmaker.com>
2019-01-18 19:51:11 +00:00
parent 54cbcb76c0 9a186bf525
commit 339d3e28bb
3 changed files with 83 additions and 68 deletions
--- a/workflow/engine/classes/ProcessMap.php
+++ b/workflow/engine/classes/ProcessMap.php
@@ -4211,21 +4211,37 @@ class ProcessMap
        }
    }
-    public function downloadFile($sProcessUID, $sMainDirectory, $sCurrentDirectory, $sFile)
+    /**
     * Stream a file from "mailTemplates" or "public" directory thats belongs to a process
     *
     * @param string $processUid
     * @param string $mainDirectory
     * @param string $currentDirectory
     * @param string $file
     */
    public function downloadFile($processUid, $mainDirectory, $currentDirectory, $file)
    {
-        switch ($sMainDirectory) {
+        // Validate directory and file requested
        $filter = new InputFilter();
        $currentDirectory = $filter->validatePath($currentDirectory);
        $file = $filter->validatePath($file);
        // Validate the main directory
        switch ($mainDirectory) {
            case 'mailTemplates':
-                $sDirectory = PATH_DATA_MAILTEMPLATES . $sProcessUID . PATH_SEP . ($sCurrentDirectory != '' ? $sCurrentDirectory . PATH_SEP : '');
+                $sDirectory = PATH_DATA_MAILTEMPLATES . $processUid . PATH_SEP . ($currentDirectory != '' ? $currentDirectory . PATH_SEP : '');
                break;
            case 'public':
-                $sDirectory = PATH_DATA_PUBLIC . $sProcessUID . PATH_SEP . ($sCurrentDirectory != '' ? $sCurrentDirectory . PATH_SEP : '');
+                $sDirectory = PATH_DATA_PUBLIC . $processUid . PATH_SEP . ($currentDirectory != '' ? $currentDirectory . PATH_SEP : '');
                break;
            default:
                die();
                break;
        }
-        if (file_exists($sDirectory . $sFile)) {
+
-            G::streamFile($sDirectory . $sFile, true);
+        // Stream the file if path exists
        if (file_exists($sDirectory . $file)) {
            G::streamFile($sDirectory . $file, true);
        }
    }
--- a/workflow/engine/methods/processes/processes_Ajax.php
+++ b/workflow/engine/methods/processes/processes_Ajax.php
@@ -1,28 +1,22 @@
 <?php
 /**
 * processes_Ajax.php
 *
 * ProcessMaker Open Source Edition
 * Copyright (C) 2004 - 2008 Colosa Inc.23
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
 try {
    // Validate the access to the actions of this file
    if (!empty($_REQUEST['action']) && $_REQUEST['action'] == 'load') {
        // Validate if exists the session variable "PROCESS", this action is requested from case tracker and running cases
        $cannotAccess = empty($_SESSION['PROCESS']);
    } else {
        // Validate PM_FACTORY permission
        global $RBAC;
        $cannotAccess = $RBAC->userCanAccess('PM_FACTORY') !== 1;
    }
    if ($cannotAccess) {
        G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
        G::header( 'Location: ../login/login' );
        die();
    }
    $filter = new InputFilter();
    $_GET = $filter->xssFilterHard($_GET);
    $_POST = $filter->xssFilterHard($_POST);
@@ -693,41 +687,38 @@ try {
            $_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']);
            global $G_PUBLISH;
            $G_PUBLISH = new Publisher();
-            global $RBAC;
+            $app = new Processes();
-            if ($RBAC->userCanAccess('PM_FACTORY') == 1) {
+            if (!$app->processExists($_REQUEST['pro_uid'])) {
-                $app = new Processes();
+                echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED');
-                if (!$app->processExists($_REQUEST['pro_uid'])) {
+                die;
                    echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED');
                    die;
                }
                $sDir = "";
                if (isset($_REQUEST['MAIN_DIRECTORY'])) {
                    $_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
                    $sDir = $_REQUEST['MAIN_DIRECTORY'];
                }
                switch ($sDir) {
                    case 'mailTemplates':
                        $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
                        G::auditLog('ProcessFileManager', 'Save template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
                        break;
                    case 'public':
                        $sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
                        G::auditLog('ProcessFileManager', 'Save public template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
                        break;
                    default:
                        $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
                        break;
                }
                $fp = fopen($sDirectory, 'w');
                $content = stripslashes($_REQUEST['fcontent']);
                $content = str_replace("@amp@", "&", $content);
                $content = base64_decode($content);
                fwrite($fp, $content);
                fclose($fp);
                $sDirectory = $filter->xssFilterHard($sDirectory);
                echo 'saved: ' . $sDirectory;
            }
            $sDir = "";
            if (isset($_REQUEST['MAIN_DIRECTORY'])) {
                $_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
                $sDir = $_REQUEST['MAIN_DIRECTORY'];
            }
            switch ($sDir) {
                case 'mailTemplates':
                    $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
                    G::auditLog('ProcessFileManager', 'Save template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
                    break;
                case 'public':
                    $sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
                    G::auditLog('ProcessFileManager', 'Save public template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
                    break;
                default:
                    $sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
                    break;
            }
            $fp = fopen($sDirectory, 'w');
            $content = stripslashes($_REQUEST['fcontent']);
            $content = str_replace("@amp@", "&", $content);
            $content = base64_decode($content);
            fwrite($fp, $content);
            fclose($fp);
            $sDirectory = $filter->xssFilterHard($sDirectory);
            echo 'saved: ' . $sDirectory;
            break;
        case 'getSessid':
            if (isset($_SESSION['USER_LOGGED'])) {
--- a/workflow/engine/methods/processes/processes_GetFile.php
+++ b/workflow/engine/methods/processes/processes_GetFile.php
@@ -4,14 +4,11 @@ $RBAC->allows(basename(__FILE__), $_GET['MAIN_DIRECTORY']);
 $mainDirectory = !empty($_GET['MAIN_DIRECTORY']) ? $_GET['MAIN_DIRECTORY'] : '';
 $proUid = !empty($_GET['PRO_UID']) ? $_GET['PRO_UID'] : '';
-$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? realpath($_GET['CURRENT_DIRECTORY']) . PATH_SEP : '';
+$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? $_GET['CURRENT_DIRECTORY'] . PATH_SEP : '';
-$file = !empty($_GET['FILE']) ? realpath($_GET['FILE']) : '';
+$file = !empty($_GET['FILE']) ? $_GET['FILE'] : '';
 $extension = (!empty($_GET['sFilextension']) && $_GET['sFilextension'] === 'javascript') ? '.js' : '';
-//validated process exists, return throw if not exists.
+// Validate the main directory
 $process = new Process();
 $process->load($proUid);
 switch ($mainDirectory) {
    case 'mailTemplates':
        $directory = PATH_DATA_MAILTEMPLATES;
@@ -24,9 +21,20 @@ switch ($mainDirectory) {
        break;
 }
 // Validate if process exists, an exception is throwed if not exists
 $process = new Process();
 $process->load($proUid);
 // Validate directory and file requested
 $filter = new InputFilter();
 $currentDirectory = $filter->validatePath($currentDirectory);
 $file = $filter->validatePath($file);
 // Build requested path
 $directory .= $proUid . PATH_SEP . $currentDirectory;
 $file .= $extension;
 // Stream the file if path exists
 if (file_exists($directory . $file)) {
    G::streamFile($directory . $file, true);
 }