From 5c1220c055c4822f10b3640ea3b5f046482e41b7 Mon Sep 17 00:00:00 2001 From: qronald Date: Tue, 24 Jan 2017 16:53:53 -0400 Subject: [PATCH 1/2] HOR-2530 --- pmos.conf.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pmos.conf.example b/pmos.conf.example index 5c0fac310..a592ed0bc 100644 --- a/pmos.conf.example +++ b/pmos.conf.example @@ -6,7 +6,7 @@ Options Indexes FollowSymLinks MultiViews - AllowOverride None + AllowOverride All Order allow,deny Allow from all Require all granted From 1f6cac8a94f4902398df5d1900977ed296cbe7d0 Mon Sep 17 00:00:00 2001 From: Roly Rudy Gutierrez Pinto Date: Wed, 8 Feb 2017 16:01:52 -0400 Subject: [PATCH 2/2] HOR-2533 --- framework/src/Maveriks/WebApplication.php | 1 + gulliver/system/class.bootstrap.php | 35 +++++++++++++++++++ gulliver/system/class.g.php | 25 ++++++++++--- workflow/engine/classes/class.system.php | 3 +- .../translations/english/processmaker.en.po | 12 +++++++ .../methods/appFolder/appFolderAjax.php | 12 +++++++ .../BusinessModel/Cases/InputDocument.php | 10 ++++++ .../BusinessModel/FilesManager.php | 5 +++ .../src/ProcessMaker/BusinessModel/Light.php | 10 ++++++ workflow/public_html/sysGeneric.php | 12 +++++++ 10 files changed, 119 insertions(+), 6 deletions(-) diff --git a/framework/src/Maveriks/WebApplication.php b/framework/src/Maveriks/WebApplication.php index e4f26c85f..21c9473e1 100644 --- a/framework/src/Maveriks/WebApplication.php +++ b/framework/src/Maveriks/WebApplication.php @@ -533,6 +533,7 @@ class WebApplication define("PATH_DYNAFORM", PATH_DATA_SITE . "xmlForms/"); define("PATH_IMAGES_ENVIRONMENT_FILES", PATH_DATA_SITE . "usersFiles" . PATH_SEP); define("PATH_IMAGES_ENVIRONMENT_USERS", PATH_DATA_SITE . "usersPhotographies" . PATH_SEP); + define('DISABLE_PHP_UPLOAD_EXECUTION', $arraySystemConfiguration['disable_php_upload_execution']); /** * Global definitions, before it was the defines.php file diff --git a/gulliver/system/class.bootstrap.php b/gulliver/system/class.bootstrap.php index ce6c4b9d1..bbf34e800 100644 --- a/gulliver/system/class.bootstrap.php +++ b/gulliver/system/class.bootstrap.php @@ -2964,5 +2964,40 @@ class Bootstrap ); return $aContext; } + + /** + * get DISABLE_PHP_UPLOAD_EXECUTION value defined in env.ini + * @return int + */ + public static function getDisablePhpUploadExecution() + { + $disablePhpUploadExecution = 0; + if (defined("DISABLE_PHP_UPLOAD_EXECUTION")) { + $disablePhpUploadExecution = (int) DISABLE_PHP_UPLOAD_EXECUTION; + } + return $disablePhpUploadExecution; + } + + /** + * Record the action of executing a php file or attempting to upload a php + * file in server. + * @param type $channel + * @param type $level + * @param type $message + * @param type $fileName + */ + public static function registerMonologPhpUploadExecution($channel, $level, $message, $fileName) + { + $context = \Bootstrap::getDefaultContextLog(); + $context['action'] = $channel; + $context['filename'] = $fileName; + if (defined("SYS_CURRENT_URI") && defined("SYS_CURRENT_PARMS")) { + $context['url'] = SYS_CURRENT_URI . '?' . SYS_CURRENT_PARMS; + } + $context['usrUid'] = isset($_SESSION['USER_LOGGED']) ? $_SESSION['USER_LOGGED'] : ''; + $sysSys = defined("SYS_SYS") ? SYS_SYS : "Undefined"; + \Bootstrap::registerMonolog($channel, $level, $message, $context, $sysSys, 'processmaker.log'); + } + } diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index 6b593fb25..4501720a9 100644 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -1242,7 +1242,14 @@ class G if ($download) { G::sendHeaders( $filename, 'text/plain', $download, $downloadFileName ); } else { - require_once ($filename); + if (\Bootstrap::getDisablePhpUploadExecution() === 0) { + \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 200, 'Php Execution', $filename); + require_once ($filename); + } else { + $message = G::LoadTranslation('THE_PHP_FILES_EXECUTION_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 550, $message, $filename); + echo $message; + } return; } break; @@ -5538,16 +5545,24 @@ class G $res->status = false; $allowedTypes = array_map('G::getRealExtension', explode(',', $InpDocAllowedFiles)); + // Get the file extension + $aux = pathinfo($fileName); + $fileExtension = isset($aux['extension']) ? strtolower($aux['extension']) : ''; + + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $fileExtension === 'php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $fileName); + $res->status = false; + $res->message = $message; + return $res; + } + // If required extension is *.* don't validate if (in_array('*', $allowedTypes)) { $res->status = true; return $res; } - // Get the file extension - $aux = pathinfo($fileName); - $fileExtension = isset($aux['extension']) ? strtolower($aux['extension']) : ''; - // If no valid extension finish (unnecesary check file content) $validExtension = in_array($fileExtension, $allowedTypes); if (!$validExtension) { diff --git a/workflow/engine/classes/class.system.php b/workflow/engine/classes/class.system.php index beaa5196c..973c5642e 100644 --- a/workflow/engine/classes/class.system.php +++ b/workflow/engine/classes/class.system.php @@ -78,7 +78,8 @@ class System 'leave_case_warning' => 0, 'server_hostname_requests_frontend' => '', 'load_headers_ie' => 0, - 'redirect_to_mobile' => 0 + 'redirect_to_mobile' => 0, + 'disable_php_upload_execution' => 0 ); /** diff --git a/workflow/engine/content/translations/english/processmaker.en.po b/workflow/engine/content/translations/english/processmaker.en.po index 1872d7e25..3348bc83e 100644 --- a/workflow/engine/content/translations/english/processmaker.en.po +++ b/workflow/engine/content/translations/english/processmaker.en.po @@ -27419,6 +27419,18 @@ msgstr "External Registration" msgid "Filter By" msgstr "Filter By" +# TRANSLATION +# LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED +#: LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED +msgid "The upload of PHP files was disabled please contact the system administrator." +msgstr "The upload of PHP files was disabled please contact the system administrator." + +# TRANSLATION +# LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED +#: LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED +msgid "The PHP files execution was disabled please contact the system administrator." +msgstr "The PHP files execution was disabled please contact the system administrator." + # TRANSLATION # LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837 #: LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837 diff --git a/workflow/engine/methods/appFolder/appFolderAjax.php b/workflow/engine/methods/appFolder/appFolderAjax.php index 72926ee81..f1c7f68d7 100644 --- a/workflow/engine/methods/appFolder/appFolderAjax.php +++ b/workflow/engine/methods/appFolder/appFolderAjax.php @@ -1534,6 +1534,18 @@ function uploadExternalDocument() //Read. Instance Document classes if (!empty($quequeUpload)) { + foreach ($quequeUpload as $key => $fileObj) { + $extension = pathinfo($fileObj['fileName'], PATHINFO_EXTENSION); + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extension === 'php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $fileObj['fileName']); + $response['error'] = $message; + $response['message'] = $message; + $response['success'] = false; + print_r(G::json_encode($response)); + exit(); + } + } $docUid=$_POST['docUid']; $appDocUid=isset($_POST['APP_DOC_UID'])?$_POST['APP_DOC_UID']:""; $docVersion=isset($_POST['docVersion'])?$_POST['docVersion']:""; diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php b/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php index 53ca8677f..0426def6b 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php @@ -971,6 +971,16 @@ class InputDocument $aFields = array("APP_UID" => $appUid, "DEL_INDEX" => $delIndex, "USR_UID" => $userUid, "DOC_UID" => -1, "APP_DOC_TYPE" => "ATTACHED", "APP_DOC_CREATE_DATE" => date("Y-m-d H:i:s"), "APP_DOC_COMMENT" => "", "APP_DOC_TITLE" => "", "APP_DOC_FILENAME" => $arrayFileName[$i], "APP_DOC_FIELDNAME" => $fieldName); } + $sExtension = pathinfo($aFields["APP_DOC_FILENAME"]); + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $sExtension["extension"] === 'php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $sFileName); + \G::SendMessageText($message, "ERROR"); + $backUrlObj = explode("sys" . SYS_SYS, $_SERVER['HTTP_REFERER']); + \G::header("location: " . "/sys" . SYS_SYS . $backUrlObj[1]); + die(); + } + $oAppDocument = new \AppDocument(); $oAppDocument->create($aFields); diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php index aa8cd56a1..a949ce0a5 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php @@ -187,6 +187,11 @@ class FilesManager if ($extention == '.exe') { throw new \Exception(\G::LoadTranslation('ID_FILE_UPLOAD_INCORRECT_EXTENSION')); } + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extention === '.php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $aData['prf_filename']); + throw new \Exception($message); + } break; default: $sDirectory = PATH_DATA_MAILTEMPLATES . $sProcessUID . PATH_SEP . $sSubDirectory . $aData['prf_filename']; diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Light.php b/workflow/engine/src/ProcessMaker/BusinessModel/Light.php index e739eb485..d33c85488 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/Light.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/Light.php @@ -902,6 +902,16 @@ class Light $response = array(); if (is_array($request_data)) { foreach ($request_data as $k => $file) { + $ext = pathinfo($file['name'], PATHINFO_EXTENSION); + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $ext === 'php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $file['name']); + $response[$k]['error'] = array( + "code" => "400", + "message" => $message + ); + continue; + } $oCase = new \Cases(); $delIndex = $oCase->getCurrentDelegation($app_uid, $userUid); $docUid = !empty($file['docUid']) ? $file['docUid'] : -1; diff --git a/workflow/public_html/sysGeneric.php b/workflow/public_html/sysGeneric.php index 0b32f04eb..2e07667f6 100644 --- a/workflow/public_html/sysGeneric.php +++ b/workflow/public_html/sysGeneric.php @@ -342,6 +342,7 @@ define ('WS_IN_LOGIN', isset($config['WS_IN_LOGIN']) ? $config['WS_IN_LOGIN'] : define('LOAD_HEADERS_IE', $config['load_headers_ie']); define('LEAVE_CASE_WARNING', $config['leave_case_warning']); define('REDIRECT_TO_MOBILE', $config['redirect_to_mobile']); +define('DISABLE_PHP_UPLOAD_EXECUTION', $config['disable_php_upload_execution']); // IIS Compatibility, SERVER_ADDR doesn't exist on that env, so we need to define it. $_SERVER['SERVER_ADDR'] = isset( $_SERVER['SERVER_ADDR'] ) ? $_SERVER['SERVER_ADDR'] : $_SERVER['SERVER_NAME']; @@ -813,6 +814,17 @@ if (substr( SYS_COLLECTION, 0, 8 ) === 'gulliver') { die(); } + Bootstrap::initVendors(); + Bootstrap::LoadSystem( 'monologProvider' ); + if (\Bootstrap::getDisablePhpUploadExecution() === 1) { + $message = \G::LoadTranslation('THE_PHP_FILES_EXECUTION_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 550, $message, $phpFile); + echo $message; + die(); + } else { + \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 200, 'Php Execution', $phpFile); + } + $avoidChangedWorkspaceValidation = true; $bWE = true; //$phpFile = PATH_DATA_SITE . 'public' . PATH_SEP . SYS_COLLECTION . PATH_SEP . $auxPart[ count($auxPart)-1];