Merged in bugfix/HOR-3434 (pull request #5879)
HOR-3434 Approved-by: Julio Cesar Laura Avendaño <contact@julio-laura.com>
This commit is contained in:
Dante Loayza
@@ -152,6 +152,11 @@ class pmTables extends Controller
|
|||||||
$sFileName = $httpData->f;
|
$sFileName = $httpData->f;
|
||||||
|
|
||||||
$realPath = $PUBLIC_ROOT_PATH . $sFileName;
|
$realPath = $PUBLIC_ROOT_PATH . $sFileName;
|
||||||
|
|
||||||
|
if ($this->isValidFileToBeStreamed($sFileName) === false) {
|
||||||
|
throw new Exception("You are trying to access an unauthorized resource.");
|
||||||
|
}
|
||||||
|
|
||||||
G::streamFile( $realPath, true );
|
G::streamFile( $realPath, true );
|
||||||
unlink( $realPath );
|
unlink( $realPath );
|
||||||
}
|
}
|
||||||
@@ -206,5 +211,32 @@ class pmTables extends Controller
|
|||||||
$tableSize = $tableSize - 8; // Prefix PMT_
|
$tableSize = $tableSize - 8; // Prefix PMT_
|
||||||
return $tableSize;
|
return $tableSize;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates if the file with the $fileName is a valid one,
|
||||||
|
* that is, it must be a file without relative references that
|
||||||
|
* can open a door to get some unauthorized system file and
|
||||||
|
* must have one of the valid file extensions.
|
||||||
|
*
|
||||||
|
* @param $fileName, emporal file name that will be streamed
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
private function isValidFileToBeStreamed($fileName)
|
||||||
|
{
|
||||||
|
$result = true;
|
||||||
|
$validExtensionsForExporting = ['csv', 'pmt'];
|
||||||
|
|
||||||
|
$pathInfo = pathinfo($fileName);
|
||||||
|
|
||||||
|
if ($pathInfo['dirname'] !== '.') {
|
||||||
|
$result = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!in_array($pathInfo['extension'], $validExtensionsForExporting)) {
|
||||||
|
$result = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user