From cac0c4e96e2a370948f50f77e1977e528e54b908 Mon Sep 17 00:00:00 2001 From: "marcelo.cuiza" Date: Mon, 6 Apr 2015 17:43:51 -0400 Subject: [PATCH] veracode medium issues Directory Transversal, OS Command Injection --- .../HTMLPurifier/DefinitionCache/Serializer.php | 6 +++++- gulliver/thirdparty/pear/Net/FTP/Socket.php | 7 ++++++- gulliver/thirdparty/phing/Phing.php | 4 +++- gulliver/thirdparty/phing/lib/Capsule.php | 5 ++++- .../phing/tasks/system/IncludePathTask.php | 4 +++- workflow/engine/classes/class.case.php | 4 ++++ workflow/engine/classes/class.pmLicenseManager.php | 4 ++++ workflow/engine/classes/class.system.php | 1 + workflow/engine/controllers/pmTablesProxy.php | 12 ++++++++---- workflow/engine/methods/setup/languages_Import.php | 1 + 10 files changed, 39 insertions(+), 9 deletions(-) diff --git a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php index 7e8539ad1..2d52acfaa 100644 --- a/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php +++ b/gulliver/thirdparty/HTMLPurifier/HTMLPurifier/DefinitionCache/Serializer.php @@ -182,7 +182,11 @@ class HTMLPurifier_DefinitionCache_Serializer extends HTMLPurifier_DefinitionCac */ private function _write($file, $data, $config) { - $result = file_put_contents($file, $data); + if(is_file($file)) { + $result = file_put_contents($file, $data); + } else { + $result = false; + } if ($result !== false) { // set permissions of the new file (no execute) $chmod = $config->get('Cache.SerializerPermissions'); diff --git a/gulliver/thirdparty/pear/Net/FTP/Socket.php b/gulliver/thirdparty/pear/Net/FTP/Socket.php index c86198329..d6d2c82a8 100755 --- a/gulliver/thirdparty/pear/Net/FTP/Socket.php +++ b/gulliver/thirdparty/pear/Net/FTP/Socket.php @@ -660,7 +660,12 @@ function ftp_get(&$control, $local, $remote, $mode, $resume = 0) return false; } - $fp = fopen($local, 'w'.$windows[$mode]); + if(is_file($local)) { + $fp = fopen($local, 'w'.$windows[$mode]); + } else { + $fp = false; + } + if (!is_resource($fp)) { $fp = null; return false; diff --git a/gulliver/thirdparty/phing/Phing.php b/gulliver/thirdparty/phing/Phing.php index e45e80dd3..88fe35eef 100644 --- a/gulliver/thirdparty/phing/Phing.php +++ b/gulliver/thirdparty/phing/Phing.php @@ -856,7 +856,9 @@ class Phing { if (self::getMsgOutputLevel() === PROJECT_MSG_DEBUG) { print("Phing::import() prepending new include_path components: " . implode(PATH_SEPARATOR, $new_parts) . "\n"); } - ini_set('include_path', implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts))); + if (is_dir(implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts)))) { + ini_set('include_path', implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts))); + } } } diff --git a/gulliver/thirdparty/phing/lib/Capsule.php b/gulliver/thirdparty/phing/lib/Capsule.php index bab05486a..be8fe46a7 100755 --- a/gulliver/thirdparty/phing/lib/Capsule.php +++ b/gulliver/thirdparty/phing/lib/Capsule.php @@ -121,7 +121,10 @@ class Capsule { // prepend template path to include path, // so that include "path/relative/to/templates"; can be used within templates $__old_inc_path = ini_get('include_path'); - ini_set('include_path', $this->templatePath . PATH_SEPARATOR . $__old_inc_path); + + if(is_dir($this->templatePath . PATH_SEPARATOR . $__old_inc_path)) { + ini_set('include_path', $this->templatePath . PATH_SEPARATOR . $__old_inc_path); + } @ini_set('track_errors', true); include $__template; diff --git a/gulliver/thirdparty/phing/tasks/system/IncludePathTask.php b/gulliver/thirdparty/phing/tasks/system/IncludePathTask.php index 73a3daf9e..317036bc8 100644 --- a/gulliver/thirdparty/phing/tasks/system/IncludePathTask.php +++ b/gulliver/thirdparty/phing/tasks/system/IncludePathTask.php @@ -108,7 +108,9 @@ class IncludePathTask extends TaskPhing { if ($new_parts) { $this->log("Prepending new include_path components: " . implode(PATH_SEPARATOR, $new_parts), PROJECT_MSG_VERBOSE); - set_include_path(implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts))); + if(is_dir(implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts)))) { + set_include_path(implode(PATH_SEPARATOR, array_merge($new_parts, $curr_parts))); + } } } diff --git a/workflow/engine/classes/class.case.php b/workflow/engine/classes/class.case.php index f1e0b4abf..5859eaf45 100755 --- a/workflow/engine/classes/class.case.php +++ b/workflow/engine/classes/class.case.php @@ -3797,6 +3797,10 @@ class Cases if (!is_dir($strPathName)) { G::verifyPath($strPathName, true); } + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $file = $filter->xssFilterHard($file, 'path'); copy($file, $strPathName . $strFileName); chmod($strPathName . $strFileName, 0666); diff --git a/workflow/engine/classes/class.pmLicenseManager.php b/workflow/engine/classes/class.pmLicenseManager.php index 4e95560e2..02e9e922c 100644 --- a/workflow/engine/classes/class.pmLicenseManager.php +++ b/workflow/engine/classes/class.pmLicenseManager.php @@ -442,6 +442,10 @@ class pmLicenseManager $LicenseStatus = $this->lookForStatusLicense(); //we're looking for a status ACTIVE //getting the content from file + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $path = $filter->xssFilterHard($path, 'path'); + $handle = fopen ( $path, "r" ); $contents = fread ( $handle, filesize ( $path ) ); fclose ( $handle ); diff --git a/workflow/engine/classes/class.system.php b/workflow/engine/classes/class.system.php index a1c1f4175..e7da8f831 100755 --- a/workflow/engine/classes/class.system.php +++ b/workflow/engine/classes/class.system.php @@ -287,6 +287,7 @@ class System $tempFilename = isset( $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] ) ? $_FILES['form']['tmp_name']['UPGRADE_FILENAME'] : ''; $this->sRevision = str_replace( '.tar.gz', '', str_replace( 'pmos-patch-', '', $upgradeFilename ) ); $sTemFilename = $tempFilename; + $sTemFilename = $filter->xssFilterHard($sTemFilename, 'path'); $pathFile = $filter->xssFilterHard(PATH_DATA . 'upgrade' . PATH_SEP . $upgradeFilename, 'path'); $this->sFilename = $pathFile; $this->sPath = dirname( $this->sFilename ) . PATH_SEP; diff --git a/workflow/engine/controllers/pmTablesProxy.php b/workflow/engine/controllers/pmTablesProxy.php index 12d67de42..fe7b8687d 100755 --- a/workflow/engine/controllers/pmTablesProxy.php +++ b/workflow/engine/controllers/pmTablesProxy.php @@ -669,10 +669,12 @@ class pmTablesProxy extends HttpProxyController G::LoadSystem('inputfilter'); $filter = new InputFilter(); $countRow = 250; - if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) { + $tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE']; + $tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); + if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) { $filename = $_FILES['form']['name']['CSV_FILE']; $filename = $filter->xssFilterHard($filename, 'path'); - if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) { + if ($oFile = fopen( $tmpfilename, 'r' )) { require_once 'classes/model/AdditionalTables.php'; $oAdditionalTables = new AdditionalTables(); $aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true ); @@ -767,10 +769,12 @@ class pmTablesProxy extends HttpProxyController { G::LoadSystem('inputfilter'); $filter = new InputFilter(); - if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $_FILES['form']['tmp_name']['CSV_FILE'] ) ) === 0) { + $tmpfilename = $_FILES['form']['tmp_name']['CSV_FILE']; + $tmpfilename = $filter->xssFilterHard($tmpfilename, 'path'); + if (preg_match( '/[\x00-\x08\x0b-\x0c\x0e\x1f]/', file_get_contents( $tmpfilename ) ) === 0) { $filename = $_FILES['form']['name']['CSV_FILE']; $filename = $filter->xssFilterHard($filename, 'path'); - if ($oFile = fopen( $_FILES['form']['tmp_name']['CSV_FILE'], 'r' )) { + if ($oFile = fopen( $tmpfilename, 'r' )) { require_once 'classes/model/AdditionalTables.php'; $oAdditionalTables = new AdditionalTables(); $aAdditionalTables = $oAdditionalTables->load( $_POST['form']['ADD_TAB_UID'], true ); diff --git a/workflow/engine/methods/setup/languages_Import.php b/workflow/engine/methods/setup/languages_Import.php index 1ea43988a..fb1080c01 100755 --- a/workflow/engine/methods/setup/languages_Import.php +++ b/workflow/engine/methods/setup/languages_Import.php @@ -61,6 +61,7 @@ try { $languageFile = $_FILES['form']['tmp_name']['LANGUAGE_FILENAME']; $languageFilename = $_FILES['form']['name']['LANGUAGE_FILENAME']; + $languageFile = $filter->xssFilterHard($languageFile, 'path'); $languageFilename = $filter->xssFilterHard($languageFilename, 'path'); if (substr_compare( $languageFilename, ".gz", - 3, 3, true ) == 0) { $zp = gzopen( $languageFile, "r" );