From 33a6e236b9dafeebccf407e5b59e2715ae2d86d3 Mon Sep 17 00:00:00 2001
From: Marco Antonio Nina Mena <marco.antonio.nina@processmaker.com>
Date: Mon, 30 Oct 2017 08:31:21 -0400
Subject: [PATCH] HOR-4017 CLONE 3.2.2 - Unauthenticated download of any file
 from server with "processes/processes_GetFile" page + Path Traversal

- Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC
---
 gulliver/system/class.rbac.php                |  4 +++
 .../methods/processes/processes_GetFile.php   | 30 ++++++++++++++-----
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php
index f4639e2c3..45122f307 100644
--- a/gulliver/system/class.rbac.php
+++ b/gulliver/system/class.rbac.php
@@ -181,6 +181,10 @@ class RBAC
                 'DEL' => ['PM_SETUP'],
                 'LST' => ['PM_SETUP'],
                 'TEST' => ['PM_SETUP']
+            ],
+            'processes_GetFile.php' => [
+                'mailTemplates' => ['PM_FACTORY'],
+                'public' => ['PM_FACTORY']
             ]
         ];
         $this->aliasPermissions['PM_CASES'] = [self::PM_GUEST_CASE];
diff --git a/workflow/engine/methods/processes/processes_GetFile.php b/workflow/engine/methods/processes/processes_GetFile.php
index 477f2d6d9..7698c3d75 100644
--- a/workflow/engine/methods/processes/processes_GetFile.php
+++ b/workflow/engine/methods/processes/processes_GetFile.php
@@ -1,18 +1,32 @@
 <?php
-switch ($_GET['MAIN_DIRECTORY']) {
+global $RBAC;
+$RBAC->allows(basename(__FILE__), $_GET['MAIN_DIRECTORY']);
+
+$mainDirectory = !empty($_GET['MAIN_DIRECTORY']) ? $_GET['MAIN_DIRECTORY'] : '';
+$proUid = !empty($_GET['PRO_UID']) ? $_GET['PRO_UID'] : '';
+$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? realpath($_GET['CURRENT_DIRECTORY']) . PATH_SEP : '';
+$file = !empty($_GET['FILE']) ? realpath($_GET['FILE']) : '';
+$extension = (!empty($_GET['sFilextension']) && $_GET['sFilextension'] === 'javascript') ? '.js' : '';
+
+//validated process exists, return throw if not exists.
+$process = new Process();
+$process->load($proUid);
+
+switch ($mainDirectory) {
     case 'mailTemplates':
-        $sDirectory = PATH_DATA_MAILTEMPLATES . $_GET['PRO_UID'] . PATH_SEP . ($_GET['CURRENT_DIRECTORY'] != '' ? $_GET['CURRENT_DIRECTORY'] . PATH_SEP : '');
+        $directory = PATH_DATA_MAILTEMPLATES;
         break;
     case 'public':
-        $sDirectory = PATH_DATA_PUBLIC . $_GET['PRO_UID'] . PATH_SEP . ($_GET['CURRENT_DIRECTORY'] != '' ? $_GET['CURRENT_DIRECTORY'] . PATH_SEP : '');
+        $directory = PATH_DATA_PUBLIC;
         break;
     default:
         die();
         break;
 }
-//fixed: added a file extension when is a javascript file by krlos
-$_GET['FILE'] .= ($_GET['sFilextension'] != '' && $_GET['sFilextension'] == 'javascript') ? '.js' : '';
 
-if (file_exists( $sDirectory . $_GET['FILE'] )) {
-    G::streamFile( $sDirectory . $_GET['FILE'], true );
-}
+$directory .= $proUid . PATH_SEP . $currentDirectory;
+$file .= $extension;
+
+if (file_exists($directory . $file)) {
+    G::streamFile($directory . $file, true);
+}
\ No newline at end of file