BUG 13436 ProcessMaker 2.x Authenticated PHP Code Execution SOLVED

- The function sent in the variable $_REQUEST['action'] was always executed - A new method was implemented to validate if is a user custom function or a system function (G::isUserFunction)
2013-10-30 20:01:43 -04:00
parent 61d529c2e0
commit 50282bab93
5 changed files with 54 additions and 46 deletions
--- a/gulliver/system/class.g.php
+++ b/gulliver/system/class.g.php
@@ -5222,6 +5222,14 @@ class G

        return $path;
    }
+
+    public function isUserFunction($functionName) {
+        $allFunctions = get_defined_functions();
+        if (!isset($allFunctions['user'])) {
+            $allFunctions['user'] = array();
+        }
+        return in_array(strtolower($functionName), $allFunctions['user']);
+    }
 }

 /**
--- a/workflow/engine/methods/appFolder/appFolderAjax.php
+++ b/workflow/engine/methods/appFolder/appFolderAjax.php
@@ -20,7 +20,7 @@ if (! isset ($_REQUEST ['action'])) {
    print G::json_encode ($res);
    die ();
 }
-if (! function_exists ($_REQUEST ['action'])) {
+if (! function_exists ($_REQUEST['action']) || !G::isUserFunction($_REQUEST['action'])) {
    $res ['success'] = false;
    $res ['message'] = 'The requested action does not exist';
    print G::json_encode ($res);
--- a/workflow/engine/methods/cases/caseNotesAjax.php
+++ b/workflow/engine/methods/cases/caseNotesAjax.php
@@ -5,7 +5,7 @@ if (! isset( $_REQUEST['action'] )) {
    print G::json_encode( $res );
    die();
 }
-if (! function_exists( $_REQUEST['action'] )) {
+if (! function_exists( $_REQUEST['action'] ) || !G::isUserFunction($_REQUEST['action'])) {
    $res['success'] = 'failure';
    $res['message'] = 'The requested action does not exist';
    header( "Content-Type: application/json" );
--- a/workflow/engine/methods/cases/casesStartPage_Ajax.php
+++ b/workflow/engine/methods/cases/casesStartPage_Ajax.php
@@ -13,7 +13,7 @@ if (! isset( $_REQUEST['action'] )) {
    print G::json_encode( $res );
    die();
 }
-if (! function_exists( $_REQUEST['action'] )) {
+if (! function_exists( $_REQUEST['action'] ) || !G::isUserFunction($_REQUEST['action'])) {
    $res['success'] = 'failure';
    $res['message'] = G::LoadTranslation( 'ID_REQUEST_ACTION_NOT_EXIST' );
    print G::json_encode( $res );
--- a/workflow/engine/methods/cases/cases_SchedulerGetPlugins.php
+++ b/workflow/engine/methods/cases/cases_SchedulerGetPlugins.php
@@ -6,7 +6,7 @@ if (! isset( $_REQUEST['action'] )) {
    print G::json_encode( $return );
    die();
 }
-if (! function_exists( $_REQUEST['action'] )) {
+if (! function_exists( $_REQUEST['action'] ) || !G::isUserFunction($_REQUEST['action'])) {
    $return['success'] = 'failure';
    $return['message'] = 'The requested action doesn\'t exists';
    print G::json_encode( $return );