Merged in feature/HOR-2570 (pull request #5408)
feature/HOR-2570 Approved-by: Paula Quispe Approved-by: Julio Cesar Laura Avendaño
This commit is contained in:
Paula Quispe
@@ -533,6 +533,7 @@ class WebApplication
|
||||
define("PATH_DYNAFORM", PATH_DATA_SITE . "xmlForms/");
|
||||
define("PATH_IMAGES_ENVIRONMENT_FILES", PATH_DATA_SITE . "usersFiles" . PATH_SEP);
|
||||
define("PATH_IMAGES_ENVIRONMENT_USERS", PATH_DATA_SITE . "usersPhotographies" . PATH_SEP);
|
||||
define('DISABLE_PHP_UPLOAD_EXECUTION', $arraySystemConfiguration['disable_php_upload_execution']);
|
||||
|
||||
/**
|
||||
* Global definitions, before it was the defines.php file
|
||||
|
||||
@@ -2964,5 +2964,40 @@ class Bootstrap
|
||||
);
|
||||
return $aContext;
|
||||
}
|
||||
|
||||
/**
|
||||
* get DISABLE_PHP_UPLOAD_EXECUTION value defined in env.ini
|
||||
* @return int
|
||||
*/
|
||||
public static function getDisablePhpUploadExecution()
|
||||
{
|
||||
$disablePhpUploadExecution = 0;
|
||||
if (defined("DISABLE_PHP_UPLOAD_EXECUTION")) {
|
||||
$disablePhpUploadExecution = (int) DISABLE_PHP_UPLOAD_EXECUTION;
|
||||
}
|
||||
return $disablePhpUploadExecution;
|
||||
}
|
||||
|
||||
/**
|
||||
* Record the action of executing a php file or attempting to upload a php
|
||||
* file in server.
|
||||
* @param type $channel
|
||||
* @param type $level
|
||||
* @param type $message
|
||||
* @param type $fileName
|
||||
*/
|
||||
public static function registerMonologPhpUploadExecution($channel, $level, $message, $fileName)
|
||||
{
|
||||
$context = \Bootstrap::getDefaultContextLog();
|
||||
$context['action'] = $channel;
|
||||
$context['filename'] = $fileName;
|
||||
if (defined("SYS_CURRENT_URI") && defined("SYS_CURRENT_PARMS")) {
|
||||
$context['url'] = SYS_CURRENT_URI . '?' . SYS_CURRENT_PARMS;
|
||||
}
|
||||
$context['usrUid'] = isset($_SESSION['USER_LOGGED']) ? $_SESSION['USER_LOGGED'] : '';
|
||||
$sysSys = defined("SYS_SYS") ? SYS_SYS : "Undefined";
|
||||
\Bootstrap::registerMonolog($channel, $level, $message, $context, $sysSys, 'processmaker.log');
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -1241,7 +1241,14 @@ class G
|
||||
if ($download) {
|
||||
G::sendHeaders( $filename, 'text/plain', $download, $downloadFileName );
|
||||
} else {
|
||||
if (\Bootstrap::getDisablePhpUploadExecution() === 0) {
|
||||
\Bootstrap::registerMonologPhpUploadExecution('phpExecution', 200, 'Php Execution', $filename);
|
||||
require_once ($filename);
|
||||
} else {
|
||||
$message = G::LoadTranslation('THE_PHP_FILES_EXECUTION_WAS_DISABLED');
|
||||
\Bootstrap::registerMonologPhpUploadExecution('phpExecution', 550, $message, $filename);
|
||||
echo $message;
|
||||
}
|
||||
return;
|
||||
}
|
||||
break;
|
||||
@@ -5539,16 +5546,24 @@ class G
|
||||
$res->status = false;
|
||||
$allowedTypes = array_map('G::getRealExtension', explode(',', $InpDocAllowedFiles));
|
||||
|
||||
// Get the file extension
|
||||
$aux = pathinfo($fileName);
|
||||
$fileExtension = isset($aux['extension']) ? strtolower($aux['extension']) : '';
|
||||
|
||||
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $fileExtension === 'php') {
|
||||
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
|
||||
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $fileName);
|
||||
$res->status = false;
|
||||
$res->message = $message;
|
||||
return $res;
|
||||
}
|
||||
|
||||
// If required extension is *.* don't validate
|
||||
if (in_array('*', $allowedTypes)) {
|
||||
$res->status = true;
|
||||
return $res;
|
||||
}
|
||||
|
||||
// Get the file extension
|
||||
$aux = pathinfo($fileName);
|
||||
$fileExtension = isset($aux['extension']) ? strtolower($aux['extension']) : '';
|
||||
|
||||
// If no valid extension finish (unnecesary check file content)
|
||||
$validExtension = in_array($fileExtension, $allowedTypes);
|
||||
if (!$validExtension) {
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
|
||||
<Directory /example/path/to/processmaker/workflow/public_html>
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
AllowOverride None
|
||||
AllowOverride All
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
Require all granted
|
||||
|
||||
@@ -78,7 +78,8 @@ class System
|
||||
'leave_case_warning' => 0,
|
||||
'server_hostname_requests_frontend' => '',
|
||||
'load_headers_ie' => 0,
|
||||
'redirect_to_mobile' => 0
|
||||
'redirect_to_mobile' => 0,
|
||||
'disable_php_upload_execution' => 0
|
||||
);
|
||||
|
||||
/**
|
||||
|
||||
@@ -27419,6 +27419,18 @@ msgstr "External Registration"
|
||||
msgid "Filter By"
|
||||
msgstr "Filter By"
|
||||
|
||||
# TRANSLATION
|
||||
# LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED
|
||||
#: LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED
|
||||
msgid "The upload of PHP files was disabled please contact the system administrator."
|
||||
msgstr "The upload of PHP files was disabled please contact the system administrator."
|
||||
|
||||
# TRANSLATION
|
||||
# LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED
|
||||
#: LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED
|
||||
msgid "The PHP files execution was disabled please contact the system administrator."
|
||||
msgstr "The PHP files execution was disabled please contact the system administrator."
|
||||
|
||||
# TRANSLATION
|
||||
# LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837
|
||||
#: LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837
|
||||
|
||||
@@ -1534,6 +1534,18 @@ function uploadExternalDocument()
|
||||
|
||||
//Read. Instance Document classes
|
||||
if (!empty($quequeUpload)) {
|
||||
foreach ($quequeUpload as $key => $fileObj) {
|
||||
$extension = pathinfo($fileObj['fileName'], PATHINFO_EXTENSION);
|
||||
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extension === 'php') {
|
||||
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
|
||||
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $fileObj['fileName']);
|
||||
$response['error'] = $message;
|
||||
$response['message'] = $message;
|
||||
$response['success'] = false;
|
||||
print_r(G::json_encode($response));
|
||||
exit();
|
||||
}
|
||||
}
|
||||
$docUid=$_POST['docUid'];
|
||||
$appDocUid=isset($_POST['APP_DOC_UID'])?$_POST['APP_DOC_UID']:"";
|
||||
$docVersion=isset($_POST['docVersion'])?$_POST['docVersion']:"";
|
||||
|
||||
@@ -971,6 +971,16 @@ class InputDocument
|
||||
$aFields = array("APP_UID" => $appUid, "DEL_INDEX" => $delIndex, "USR_UID" => $userUid, "DOC_UID" => -1, "APP_DOC_TYPE" => "ATTACHED", "APP_DOC_CREATE_DATE" => date("Y-m-d H:i:s"), "APP_DOC_COMMENT" => "", "APP_DOC_TITLE" => "", "APP_DOC_FILENAME" => $arrayFileName[$i], "APP_DOC_FIELDNAME" => $fieldName);
|
||||
}
|
||||
|
||||
$sExtension = pathinfo($aFields["APP_DOC_FILENAME"]);
|
||||
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $sExtension["extension"] === 'php') {
|
||||
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
|
||||
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $sFileName);
|
||||
\G::SendMessageText($message, "ERROR");
|
||||
$backUrlObj = explode("sys" . SYS_SYS, $_SERVER['HTTP_REFERER']);
|
||||
\G::header("location: " . "/sys" . SYS_SYS . $backUrlObj[1]);
|
||||
die();
|
||||
}
|
||||
|
||||
$oAppDocument = new \AppDocument();
|
||||
$oAppDocument->create($aFields);
|
||||
|
||||
|
||||
@@ -187,6 +187,11 @@ class FilesManager
|
||||
if ($extention == '.exe') {
|
||||
throw new \Exception(\G::LoadTranslation('ID_FILE_UPLOAD_INCORRECT_EXTENSION'));
|
||||
}
|
||||
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extention === '.php') {
|
||||
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
|
||||
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $aData['prf_filename']);
|
||||
throw new \Exception($message);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
$sDirectory = PATH_DATA_MAILTEMPLATES . $sProcessUID . PATH_SEP . $sSubDirectory . $aData['prf_filename'];
|
||||
|
||||
@@ -902,6 +902,16 @@ class Light
|
||||
$response = array();
|
||||
if (is_array($request_data)) {
|
||||
foreach ($request_data as $k => $file) {
|
||||
$ext = pathinfo($file['name'], PATHINFO_EXTENSION);
|
||||
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $ext === 'php') {
|
||||
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
|
||||
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $file['name']);
|
||||
$response[$k]['error'] = array(
|
||||
"code" => "400",
|
||||
"message" => $message
|
||||
);
|
||||
continue;
|
||||
}
|
||||
$oCase = new \Cases();
|
||||
$delIndex = $oCase->getCurrentDelegation($app_uid, $userUid);
|
||||
$docUid = !empty($file['docUid']) ? $file['docUid'] : -1;
|
||||
|
||||
@@ -337,6 +337,7 @@ define ('WS_IN_LOGIN', isset($config['WS_IN_LOGIN']) ? $config['WS_IN_LOGIN'] :
|
||||
define('LOAD_HEADERS_IE', $config['load_headers_ie']);
|
||||
define('LEAVE_CASE_WARNING', $config['leave_case_warning']);
|
||||
define('REDIRECT_TO_MOBILE', $config['redirect_to_mobile']);
|
||||
define('DISABLE_PHP_UPLOAD_EXECUTION', $config['disable_php_upload_execution']);
|
||||
|
||||
// IIS Compatibility, SERVER_ADDR doesn't exist on that env, so we need to define it.
|
||||
$_SERVER['SERVER_ADDR'] = isset( $_SERVER['SERVER_ADDR'] ) ? $_SERVER['SERVER_ADDR'] : $_SERVER['SERVER_NAME'];
|
||||
@@ -801,6 +802,17 @@ if (substr( SYS_COLLECTION, 0, 8 ) === 'gulliver') {
|
||||
die();
|
||||
}
|
||||
|
||||
Bootstrap::initVendors();
|
||||
Bootstrap::LoadSystem( 'monologProvider' );
|
||||
if (\Bootstrap::getDisablePhpUploadExecution() === 1) {
|
||||
$message = \G::LoadTranslation('THE_PHP_FILES_EXECUTION_WAS_DISABLED');
|
||||
\Bootstrap::registerMonologPhpUploadExecution('phpExecution', 550, $message, $phpFile);
|
||||
echo $message;
|
||||
die();
|
||||
} else {
|
||||
\Bootstrap::registerMonologPhpUploadExecution('phpExecution', 200, 'Php Execution', $phpFile);
|
||||
}
|
||||
|
||||
$avoidChangedWorkspaceValidation = true;
|
||||
$bWE = true;
|
||||
//$phpFile = PATH_DATA_SITE . 'public' . PATH_SEP . SYS_COLLECTION . PATH_SEP . $auxPart[ count($auxPart)-1];
|
||||
|
||||
Reference in New Issue
Block a user