fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

conflicts

Browse Source
This commit is contained in:
Paula Quispe
2017-02-10 17:51:25 -04:00
parent e9b8c82780 3e687e6bb3
commit db4c0a67b6
12 changed files with 120 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
framework/src/Maveriks/WebApplication.php
View File

@@ -533,6 +533,7 @@ class WebApplication
define("PATH_DYNAFORM", PATH_DATA_SITE . "xmlForms/"); define("PATH_DYNAFORM", PATH_DATA_SITE . "xmlForms/");
define("PATH_IMAGES_ENVIRONMENT_FILES", PATH_DATA_SITE . "usersFiles" . PATH_SEP); define("PATH_IMAGES_ENVIRONMENT_FILES", PATH_DATA_SITE . "usersFiles" . PATH_SEP);
define("PATH_IMAGES_ENVIRONMENT_USERS", PATH_DATA_SITE . "usersPhotographies" . PATH_SEP); define("PATH_IMAGES_ENVIRONMENT_USERS", PATH_DATA_SITE . "usersPhotographies" . PATH_SEP);
define('DISABLE_PHP_UPLOAD_EXECUTION', $arraySystemConfiguration['disable_php_upload_execution']);
/** /**
* Global definitions, before it was the defines.php file * Global definitions, before it was the defines.php file

35
gulliver/system/class.bootstrap.php
View File

@@ -2967,6 +2967,40 @@ class Bootstrap
} }
/** /**
* get DISABLE_PHP_UPLOAD_EXECUTION value defined in env.ini
* @return int
*/
public static function getDisablePhpUploadExecution()
{
$disablePhpUploadExecution = 0;
if (defined("DISABLE_PHP_UPLOAD_EXECUTION")) {
$disablePhpUploadExecution = (int) DISABLE_PHP_UPLOAD_EXECUTION;
}
return $disablePhpUploadExecution;
}
/**
* Record the action of executing a php file or attempting to upload a php
* file in server.
* @param type $channel
* @param type $level
* @param type $message
* @param type $fileName
*/
public static function registerMonologPhpUploadExecution($channel, $level, $message, $fileName)
{
$context = \Bootstrap::getDefaultContextLog();
$context['action'] = $channel;
$context['filename'] = $fileName;
if (defined("SYS_CURRENT_URI") && defined("SYS_CURRENT_PARMS")) {
$context['url'] = SYS_CURRENT_URI . '?' . SYS_CURRENT_PARMS;
}
$context['usrUid'] = isset($_SESSION['USER_LOGGED']) ? $_SESSION['USER_LOGGED'] : '';
$sysSys = defined("SYS_SYS") ? SYS_SYS : "Undefined";
\Bootstrap::registerMonolog($channel, $level, $message, $context, $sysSys, 'processmaker.log');
}
/*
* Set the constant to related the Workspaces * Set the constant to related the Workspaces
* *
* @param string $workspace * @param string $workspace
@@ -2984,5 +3018,6 @@ class Bootstrap
define('PATH_WORKSPACE', PATH_DATA_SITE); define('PATH_WORKSPACE', PATH_DATA_SITE);
} }
} }
} }

25
gulliver/system/class.g.php
View File

@@ -1241,7 +1241,14 @@ class G
if ($download) { if ($download) {
G::sendHeaders( $filename, 'text/plain', $download, $downloadFileName ); G::sendHeaders( $filename, 'text/plain', $download, $downloadFileName );
} else { } else {
require_once ($filename); if (\Bootstrap::getDisablePhpUploadExecution() === 0) {
\Bootstrap::registerMonologPhpUploadExecution('phpExecution', 200, 'Php Execution', $filename);
require_once ($filename);
} else {
$message = G::LoadTranslation('THE_PHP_FILES_EXECUTION_WAS_DISABLED');
\Bootstrap::registerMonologPhpUploadExecution('phpExecution', 550, $message, $filename);
echo $message;
}
return; return;
} }
break; break;
@@ -5539,16 +5546,24 @@ class G
$res->status = false; $res->status = false;
$allowedTypes = array_map('G::getRealExtension', explode(',', $InpDocAllowedFiles)); $allowedTypes = array_map('G::getRealExtension', explode(',', $InpDocAllowedFiles));
// Get the file extension
$aux = pathinfo($fileName);
$fileExtension = isset($aux['extension']) ? strtolower($aux['extension']) : '';
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $fileExtension === 'php') {
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $fileName);
$res->status = false;
$res->message = $message;
return $res;
}
// If required extension is *.* don't validate // If required extension is *.* don't validate
if (in_array('*', $allowedTypes)) { if (in_array('*', $allowedTypes)) {
$res->status = true; $res->status = true;
return $res; return $res;
} }
// Get the file extension
$aux = pathinfo($fileName);
$fileExtension = isset($aux['extension']) ? strtolower($aux['extension']) : '';
// If no valid extension finish (unnecesary check file content) // If no valid extension finish (unnecesary check file content)
$validExtension = in_array($fileExtension, $allowedTypes); $validExtension = in_array($fileExtension, $allowedTypes);
if (!$validExtension) { if (!$validExtension) {

2
pmos.conf.example
View File

@@ -6,7 +6,7 @@
<Directory /example/path/to/processmaker/workflow/public_html> <Directory /example/path/to/processmaker/workflow/public_html>
Options Indexes FollowSymLinks MultiViews Options Indexes FollowSymLinks MultiViews
AllowOverride None AllowOverride All
Order allow,deny Order allow,deny
Allow from all Allow from all
Require all granted Require all granted

3
workflow/engine/classes/class.system.php
View File

@@ -78,7 +78,8 @@ class System
'leave_case_warning' => 0, 'leave_case_warning' => 0,
'server_hostname_requests_frontend' => '', 'server_hostname_requests_frontend' => '',
'load_headers_ie' => 0, 'load_headers_ie' => 0,
'redirect_to_mobile' => 0 'redirect_to_mobile' => 0,
'disable_php_upload_execution' => 0
); );
/** /**

12
workflow/engine/content/translations/english/processmaker.en.po
View File

@@ -27419,6 +27419,18 @@ msgstr "External Registration"
msgid "Filter By" msgid "Filter By"
msgstr "Filter By" msgstr "Filter By"
# TRANSLATION
# LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED
#: LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED
msgid "The upload of PHP files was disabled please contact the system administrator."
msgstr "The upload of PHP files was disabled please contact the system administrator."
# TRANSLATION
# LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED
#: LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED
msgid "The PHP files execution was disabled please contact the system administrator."
msgstr "The PHP files execution was disabled please contact the system administrator."
# TRANSLATION # TRANSLATION
# LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837 # LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837
#: LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837 #: LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837

12
workflow/engine/methods/appFolder/appFolderAjax.php
View File

@@ -1534,6 +1534,18 @@ function uploadExternalDocument()
//Read. Instance Document classes //Read. Instance Document classes
if (!empty($quequeUpload)) { if (!empty($quequeUpload)) {
foreach ($quequeUpload as $key => $fileObj) {
$extension = pathinfo($fileObj['fileName'], PATHINFO_EXTENSION);
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extension === 'php') {
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $fileObj['fileName']);
$response['error'] = $message;
$response['message'] = $message;
$response['success'] = false;
print_r(G::json_encode($response));
exit();
}
}
$docUid=$_POST['docUid']; $docUid=$_POST['docUid'];
$appDocUid=isset($_POST['APP_DOC_UID'])?$_POST['APP_DOC_UID']:""; $appDocUid=isset($_POST['APP_DOC_UID'])?$_POST['APP_DOC_UID']:"";
$docVersion=isset($_POST['docVersion'])?$_POST['docVersion']:""; $docVersion=isset($_POST['docVersion'])?$_POST['docVersion']:"";

5
workflow/engine/methods/cases/proxyNewCasesList.php
View File

@@ -10,9 +10,6 @@ if (!isset($_SESSION['USER_LOGGED'])) {
G::LoadSystem('inputfilter'); G::LoadSystem('inputfilter');
$filter = new InputFilter(); $filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
try { try {
$userUid = $_SESSION['USER_LOGGED']; $userUid = $_SESSION['USER_LOGGED'];
@@ -195,8 +192,6 @@ try {
$response['filters'] = $filtersData; $response['filters'] = $filtersData;
$response['totalCount'] = $list->countTotal($userUid, $filtersData); $response['totalCount'] = $list->countTotal($userUid, $filtersData);
$response = $filter->xssFilterHard($response);
$response['data'] = \ProcessMaker\Util\DateTime::convertUtcToTimeZone($result); $response['data'] = \ProcessMaker\Util\DateTime::convertUtcToTimeZone($result);
echo G::json_encode($response); echo G::json_encode($response);

10
workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php
View File

@@ -971,6 +971,16 @@ class InputDocument
$aFields = array("APP_UID" => $appUid, "DEL_INDEX" => $delIndex, "USR_UID" => $userUid, "DOC_UID" => -1, "APP_DOC_TYPE" => "ATTACHED", "APP_DOC_CREATE_DATE" => date("Y-m-d H:i:s"), "APP_DOC_COMMENT" => "", "APP_DOC_TITLE" => "", "APP_DOC_FILENAME" => $arrayFileName[$i], "APP_DOC_FIELDNAME" => $fieldName); $aFields = array("APP_UID" => $appUid, "DEL_INDEX" => $delIndex, "USR_UID" => $userUid, "DOC_UID" => -1, "APP_DOC_TYPE" => "ATTACHED", "APP_DOC_CREATE_DATE" => date("Y-m-d H:i:s"), "APP_DOC_COMMENT" => "", "APP_DOC_TITLE" => "", "APP_DOC_FILENAME" => $arrayFileName[$i], "APP_DOC_FIELDNAME" => $fieldName);
} }
$sExtension = pathinfo($aFields["APP_DOC_FILENAME"]);
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $sExtension["extension"] === 'php') {
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $sFileName);
\G::SendMessageText($message, "ERROR");
$backUrlObj = explode("sys" . SYS_SYS, $_SERVER['HTTP_REFERER']);
\G::header("location: " . "/sys" . SYS_SYS . $backUrlObj[1]);
die();
}
$oAppDocument = new \AppDocument(); $oAppDocument = new \AppDocument();
$oAppDocument->create($aFields); $oAppDocument->create($aFields);

5
workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php
View File

@@ -187,6 +187,11 @@ class FilesManager
if ($extention == '.exe') { if ($extention == '.exe') {
throw new \Exception(\G::LoadTranslation('ID_FILE_UPLOAD_INCORRECT_EXTENSION')); throw new \Exception(\G::LoadTranslation('ID_FILE_UPLOAD_INCORRECT_EXTENSION'));
} }
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extention === '.php') {
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $aData['prf_filename']);
throw new \Exception($message);
}
break; break;
default: default:
$sDirectory = PATH_DATA_MAILTEMPLATES . $sProcessUID . PATH_SEP . $sSubDirectory . $aData['prf_filename']; $sDirectory = PATH_DATA_MAILTEMPLATES . $sProcessUID . PATH_SEP . $sSubDirectory . $aData['prf_filename'];

10
workflow/engine/src/ProcessMaker/BusinessModel/Light.php
View File

@@ -902,6 +902,16 @@ class Light
$response = array(); $response = array();
if (is_array($request_data)) { if (is_array($request_data)) {
foreach ($request_data as $k => $file) { foreach ($request_data as $k => $file) {
$ext = pathinfo($file['name'], PATHINFO_EXTENSION);
if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $ext === 'php') {
$message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED');
\Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $file['name']);
$response[$k]['error'] = array(
"code" => "400",
"message" => $message
);
continue;
}
$oCase = new \Cases(); $oCase = new \Cases();
$delIndex = $oCase->getCurrentDelegation($app_uid, $userUid); $delIndex = $oCase->getCurrentDelegation($app_uid, $userUid);
$docUid = !empty($file['docUid']) ? $file['docUid'] : -1; $docUid = !empty($file['docUid']) ? $file['docUid'] : -1;

12
workflow/public_html/sysGeneric.php
View File

@@ -337,6 +337,7 @@ define ('WS_IN_LOGIN', isset($config['WS_IN_LOGIN']) ? $config['WS_IN_LOGIN'] :
define('LOAD_HEADERS_IE', $config['load_headers_ie']); define('LOAD_HEADERS_IE', $config['load_headers_ie']);
define('LEAVE_CASE_WARNING', $config['leave_case_warning']); define('LEAVE_CASE_WARNING', $config['leave_case_warning']);
define('REDIRECT_TO_MOBILE', $config['redirect_to_mobile']); define('REDIRECT_TO_MOBILE', $config['redirect_to_mobile']);
define('DISABLE_PHP_UPLOAD_EXECUTION', $config['disable_php_upload_execution']);
// IIS Compatibility, SERVER_ADDR doesn't exist on that env, so we need to define it. // IIS Compatibility, SERVER_ADDR doesn't exist on that env, so we need to define it.
$_SERVER['SERVER_ADDR'] = isset( $_SERVER['SERVER_ADDR'] ) ? $_SERVER['SERVER_ADDR'] : $_SERVER['SERVER_NAME']; $_SERVER['SERVER_ADDR'] = isset( $_SERVER['SERVER_ADDR'] ) ? $_SERVER['SERVER_ADDR'] : $_SERVER['SERVER_NAME'];
@@ -801,6 +802,17 @@ if (substr( SYS_COLLECTION, 0, 8 ) === 'gulliver') {
die(); die();
} }
Bootstrap::initVendors();
Bootstrap::LoadSystem( 'monologProvider' );
if (\Bootstrap::getDisablePhpUploadExecution() === 1) {
$message = \G::LoadTranslation('THE_PHP_FILES_EXECUTION_WAS_DISABLED');
\Bootstrap::registerMonologPhpUploadExecution('phpExecution', 550, $message, $phpFile);
echo $message;
die();
} else {
\Bootstrap::registerMonologPhpUploadExecution('phpExecution', 200, 'Php Execution', $phpFile);
}
$avoidChangedWorkspaceValidation = true; $avoidChangedWorkspaceValidation = true;
$bWE = true; $bWE = true;
//$phpFile = PATH_DATA_SITE . 'public' . PATH_SEP . SYS_COLLECTION . PATH_SEP . $auxPart[ count($auxPart)-1]; //$phpFile = PATH_DATA_SITE . 'public' . PATH_SEP . SYS_COLLECTION . PATH_SEP . $auxPart[ count($auxPart)-1];