diff --git a/.gitignore b/.gitignore index bb2664051..0c77f18af 100644 --- a/.gitignore +++ b/.gitignore @@ -20,7 +20,6 @@ workflow/public_html/index.html .DS_Store .idea composer.phar -composer.lock vendor/ workflow/engine/config/schema-transformed.xml workflow/engine/config/_databases_.php diff --git a/composer.lock b/composer.lock index 66c0b5002..492e7640e 100644 --- a/composer.lock +++ b/composer.lock @@ -4,8 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "hash": "e94e04e50eb74bdfd3dfedcb1af4e6d0", - "content-hash": "f0b89bffcea74fc73605464d3f0ca520", + "content-hash": "da8938c847b4f778aa2acc95daaeb38c", "packages": [ { "name": "bshaffer/oauth2-server-php", @@ -48,7 +47,7 @@ "oauth", "oauth2" ], - "time": "2013-08-12 16:35:58" + "time": "2013-08-12T16:35:58+00:00" }, { "name": "colosa/MichelangeloFE", @@ -56,7 +55,7 @@ "source": { "type": "git", "url": "git@bitbucket.org:colosa/michelangelofe.git", - "reference": "7e889f23a7e8397c052a4d9ae6331334b57c9d48" + "reference": "733277aef23c643b094c123043c3dbee975997a4" }, "require": { "colosa/pmui": "release/3.2-dev" @@ -67,7 +66,7 @@ "keywords": [ "js app ProcessMaker" ], - "time": "2016-03-09 20:18:44" + "time": "2017-01-30 20:34:14" }, { "name": "colosa/pmDynaform", @@ -75,7 +74,7 @@ "source": { "type": "git", "url": "git@bitbucket.org:colosa/pmdynaform.git", - "reference": "c2008027bd721ac42e4a7d98cc773f82ac25921e" + "reference": "efb60f8f989ee83f91459f82810f90d8ef7a6d64" }, "type": "library", "description": "JS Library to render ProcessMaker Dynaforms", @@ -83,7 +82,7 @@ "keywords": [ "js lib ProcessMaker Dynaforms" ], - "time": "2016-03-15 17:46:33" + "time": "2017-02-09 17:03:07" }, { "name": "colosa/pmUI", @@ -91,7 +90,7 @@ "source": { "type": "git", "url": "git@bitbucket.org:colosa/pmui.git", - "reference": "851ee86a1006df111ee8b281bf2b033cdbcc6f0b" + "reference": "462ab5f45a4cce1ca9920fcb854255f10abea1e1" }, "type": "library", "description": "JS UI Library", @@ -99,20 +98,20 @@ "keywords": [ "js lib ProcessMaker UI" ], - "time": "2016-02-26 21:41:50" + "time": "2017-01-30 20:34:06" }, { "name": "dapphp/securimage", - "version": "3.6.4", + "version": "3.6.5", "source": { "type": "git", "url": "https://github.com/dapphp/securimage.git", - "reference": "2ed50264ae5541fec8d8c79e4c9b6235a7cfd506" + "reference": "3f5a84fd80b1a35d58332896c944142713a7e802" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/dapphp/securimage/zipball/2ed50264ae5541fec8d8c79e4c9b6235a7cfd506", - "reference": "2ed50264ae5541fec8d8c79e4c9b6235a7cfd506", + "url": "https://api.github.com/repos/dapphp/securimage/zipball/3f5a84fd80b1a35d58332896c944142713a7e802", + "reference": "3f5a84fd80b1a35d58332896c944142713a7e802", "shasum": "" }, "require": { @@ -130,7 +129,7 @@ "securimage.php" ] }, - "notification-url": "http://packagist.org/downloads/", + "notification-url": "https://packagist.org/downloads/", "license": [ "BSD" ], @@ -146,7 +145,7 @@ "captcha", "security" ], - "time": "2016-03-04 21:08:00" + "time": "2016-12-04T17:45:57+00:00" }, { "name": "google/apiclient", @@ -189,7 +188,7 @@ "keywords": [ "google" ], - "time": "2015-10-16 22:11:08" + "time": "2015-10-16T22:11:08+00:00" }, { "name": "luracast/restler", @@ -197,12 +196,12 @@ "source": { "type": "git", "url": "https://github.com/Luracast/Restler.git", - "reference": "1dcf910c1e1fd1ea565a537b053a66971d818e42" + "reference": "581d8d6dc5d37f439765f89725a92f85e98f1826" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Luracast/Restler/zipball/1dcf910c1e1fd1ea565a537b053a66971d818e42", - "reference": "1dcf910c1e1fd1ea565a537b053a66971d818e42", + "url": "https://api.github.com/repos/Luracast/Restler/zipball/581d8d6dc5d37f439765f89725a92f85e98f1826", + "reference": "581d8d6dc5d37f439765f89725a92f85e98f1826", "shasum": "" }, "require": { @@ -268,7 +267,7 @@ "rest", "server" ], - "time": "2015-08-04 07:52:49" + "time": "2015-08-04T07:52:49+00:00" }, { "name": "monolog/monolog", @@ -346,7 +345,7 @@ "logging", "psr-3" ], - "time": "2016-04-12 18:29:35" + "time": "2016-04-12T18:29:35+00:00" }, { "name": "psr/log", @@ -384,7 +383,7 @@ "psr", "psr-3" ], - "time": "2012-12-21 11:40:51" + "time": "2012-12-21T11:40:51+00:00" } ], "packages-dev": [ @@ -453,7 +452,7 @@ "Behat", "Symfony2" ], - "time": "2013-06-06 10:46:48" + "time": "2013-06-06T10:46:48+00:00" }, { "name": "behat/gherkin", @@ -514,7 +513,7 @@ "Symfony2", "parser" ], - "time": "2013-03-02 10:38:40" + "time": "2013-03-02T10:38:40+00:00" }, { "name": "guzzle/guzzle", @@ -571,7 +570,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-master": "release/3.2-dev" + "dev-master": "3.1-dev" } }, "autoload": { @@ -607,26 +606,29 @@ "web service" ], "abandoned": "guzzlehttp/guzzle", - "time": "2013-01-28 00:07:40" + "time": "2013-01-28T00:07:40+00:00" }, { "name": "symfony/config", - "version": "v2.8.9", + "version": "v2.8.17", "source": { "type": "git", "url": "https://github.com/symfony/config.git", - "reference": "4275ef5b59f18959df0eee3991e9ca0cc208ffd4" + "reference": "747fa191136cf798409183c501435aa4c16184df" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/config/zipball/4275ef5b59f18959df0eee3991e9ca0cc208ffd4", - "reference": "4275ef5b59f18959df0eee3991e9ca0cc208ffd4", + "url": "https://api.github.com/repos/symfony/config/zipball/747fa191136cf798409183c501435aa4c16184df", + "reference": "747fa191136cf798409183c501435aa4c16184df", "shasum": "" }, "require": { "php": ">=5.3.9", "symfony/filesystem": "~2.3|~3.0.0" }, + "require-dev": { + "symfony/yaml": "~2.7|~3.0.0" + }, "suggest": { "symfony/yaml": "To use the yaml reference dumper" }, @@ -660,24 +662,25 @@ ], "description": "Symfony Config Component", "homepage": "https://symfony.com", - "time": "2016-07-26 08:02:44" + "time": "2017-02-05T10:11:19+00:00" }, { "name": "symfony/console", - "version": "v2.8.9", + "version": "v2.8.17", "source": { "type": "git", "url": "https://github.com/symfony/console.git", - "reference": "36e62335caca8a6e909c5c5bac4a8128149911c9" + "reference": "f3c234cd8db9f7e520a91d695db7d8bb5daeb7a4" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/console/zipball/36e62335caca8a6e909c5c5bac4a8128149911c9", - "reference": "36e62335caca8a6e909c5c5bac4a8128149911c9", + "url": "https://api.github.com/repos/symfony/console/zipball/f3c234cd8db9f7e520a91d695db7d8bb5daeb7a4", + "reference": "f3c234cd8db9f7e520a91d695db7d8bb5daeb7a4", "shasum": "" }, "require": { "php": ">=5.3.9", + "symfony/debug": "~2.7,>=2.7.2|~3.0.0", "symfony/polyfill-mbstring": "~1.0" }, "require-dev": { @@ -720,20 +723,77 @@ ], "description": "Symfony Console Component", "homepage": "https://symfony.com", - "time": "2016-07-30 07:20:35" + "time": "2017-02-06T12:04:06+00:00" }, { - "name": "symfony/dependency-injection", - "version": "v2.8.9", + "name": "symfony/debug", + "version": "v3.0.9", "source": { "type": "git", - "url": "https://github.com/symfony/dependency-injection.git", - "reference": "f2b5a00d176f6a201dc430375c0ef37706ea3d12" + "url": "https://github.com/symfony/debug.git", + "reference": "697c527acd9ea1b2d3efac34d9806bf255278b0a" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/f2b5a00d176f6a201dc430375c0ef37706ea3d12", - "reference": "f2b5a00d176f6a201dc430375c0ef37706ea3d12", + "url": "https://api.github.com/repos/symfony/debug/zipball/697c527acd9ea1b2d3efac34d9806bf255278b0a", + "reference": "697c527acd9ea1b2d3efac34d9806bf255278b0a", + "shasum": "" + }, + "require": { + "php": ">=5.5.9", + "psr/log": "~1.0" + }, + "conflict": { + "symfony/http-kernel": ">=2.3,<2.3.24|~2.4.0|>=2.5,<2.5.9|>=2.6,<2.6.2" + }, + "require-dev": { + "symfony/class-loader": "~2.8|~3.0", + "symfony/http-kernel": "~2.8|~3.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "3.0-dev" + } + }, + "autoload": { + "psr-4": { + "Symfony\\Component\\Debug\\": "" + }, + "exclude-from-classmap": [ + "/Tests/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fabien Potencier", + "email": "fabien@symfony.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Symfony Debug Component", + "homepage": "https://symfony.com", + "time": "2016-07-30T07:22:48+00:00" + }, + { + "name": "symfony/dependency-injection", + "version": "v2.8.17", + "source": { + "type": "git", + "url": "https://github.com/symfony/dependency-injection.git", + "reference": "1dfbf6a9e30113a9c4e482ab056e969c70c37a19" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/dependency-injection/zipball/1dfbf6a9e30113a9c4e482ab056e969c70c37a19", + "reference": "1dfbf6a9e30113a9c4e482ab056e969c70c37a19", "shasum": "" }, "require": { @@ -783,20 +843,20 @@ ], "description": "Symfony DependencyInjection Component", "homepage": "https://symfony.com", - "time": "2016-07-30 07:20:35" + "time": "2017-01-27T23:54:58+00:00" }, { "name": "symfony/event-dispatcher", - "version": "v2.8.9", + "version": "v2.8.17", "source": { "type": "git", "url": "https://github.com/symfony/event-dispatcher.git", - "reference": "889983a79a043dfda68f38c38b6dba092dd49cd8" + "reference": "74877977f90fb9c3e46378d5764217c55f32df34" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/889983a79a043dfda68f38c38b6dba092dd49cd8", - "reference": "889983a79a043dfda68f38c38b6dba092dd49cd8", + "url": "https://api.github.com/repos/symfony/event-dispatcher/zipball/74877977f90fb9c3e46378d5764217c55f32df34", + "reference": "74877977f90fb9c3e46378d5764217c55f32df34", "shasum": "" }, "require": { @@ -843,7 +903,7 @@ ], "description": "Symfony EventDispatcher Component", "homepage": "https://symfony.com", - "time": "2016-07-28 16:56:28" + "time": "2017-01-02T20:30:24+00:00" }, { "name": "symfony/filesystem", @@ -892,7 +952,7 @@ ], "description": "Symfony Filesystem Component", "homepage": "https://symfony.com", - "time": "2016-07-20 05:43:46" + "time": "2016-07-20T05:43:46+00:00" }, { "name": "symfony/finder", @@ -942,20 +1002,20 @@ ], "description": "Symfony Finder Component", "homepage": "https://symfony.com", - "time": "2016-05-13 14:58:35" + "time": "2016-05-13T14:58:35+00:00" }, { "name": "symfony/polyfill-mbstring", - "version": "v1.2.0", + "version": "v1.3.0", "source": { "type": "git", "url": "https://github.com/symfony/polyfill-mbstring.git", - "reference": "dff51f72b0706335131b00a7f49606168c582594" + "reference": "e79d363049d1c2128f133a2667e4f4190904f7f4" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/dff51f72b0706335131b00a7f49606168c582594", - "reference": "dff51f72b0706335131b00a7f49606168c582594", + "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/e79d363049d1c2128f133a2667e4f4190904f7f4", + "reference": "e79d363049d1c2128f133a2667e4f4190904f7f4", "shasum": "" }, "require": { @@ -967,7 +1027,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-master": "1.2-dev" + "dev-master": "1.3-dev" } }, "autoload": { @@ -978,7 +1038,7 @@ "bootstrap.php" ] }, - "notification-url": "http://packagist.org/downloads/", + "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], @@ -1001,20 +1061,20 @@ "portable", "shim" ], - "time": "2016-05-18 14:26:46" + "time": "2016-11-14T01:06:16+00:00" }, { "name": "symfony/translation", - "version": "v2.8.9", + "version": "v2.8.17", "source": { "type": "git", "url": "https://github.com/symfony/translation.git", - "reference": "32b0c824da6df065f43b0c458dc505940e98a7f1" + "reference": "c281ac2b484210bb95106bdb8ae8356e63277725" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/translation/zipball/32b0c824da6df065f43b0c458dc505940e98a7f1", - "reference": "32b0c824da6df065f43b0c458dc505940e98a7f1", + "url": "https://api.github.com/repos/symfony/translation/zipball/c281ac2b484210bb95106bdb8ae8356e63277725", + "reference": "c281ac2b484210bb95106bdb8ae8356e63277725", "shasum": "" }, "require": { @@ -1065,20 +1125,20 @@ ], "description": "Symfony Translation Component", "homepage": "https://symfony.com", - "time": "2016-07-30 07:20:35" + "time": "2017-01-21T16:59:38+00:00" }, { "name": "symfony/yaml", - "version": "v2.8.9", + "version": "v2.8.17", "source": { "type": "git", "url": "https://github.com/symfony/yaml.git", - "reference": "0ceab136f43ed9d3e97b3eea32a7855dc50c121d" + "reference": "322a8c2dfbca15ad6b1b27e182899f98ec0e0153" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/yaml/zipball/0ceab136f43ed9d3e97b3eea32a7855dc50c121d", - "reference": "0ceab136f43ed9d3e97b3eea32a7855dc50c121d", + "url": "https://api.github.com/repos/symfony/yaml/zipball/322a8c2dfbca15ad6b1b27e182899f98ec0e0153", + "reference": "322a8c2dfbca15ad6b1b27e182899f98ec0e0153", "shasum": "" }, "require": { @@ -1114,7 +1174,7 @@ ], "description": "Symfony Yaml Component", "homepage": "https://symfony.com", - "time": "2016-07-17 09:06:15" + "time": "2017-01-21T16:40:50+00:00" } ], "aliases": [], diff --git a/framework/src/Maveriks/WebApplication.php b/framework/src/Maveriks/WebApplication.php index e4f26c85f..21c9473e1 100644 --- a/framework/src/Maveriks/WebApplication.php +++ b/framework/src/Maveriks/WebApplication.php @@ -533,6 +533,7 @@ class WebApplication define("PATH_DYNAFORM", PATH_DATA_SITE . "xmlForms/"); define("PATH_IMAGES_ENVIRONMENT_FILES", PATH_DATA_SITE . "usersFiles" . PATH_SEP); define("PATH_IMAGES_ENVIRONMENT_USERS", PATH_DATA_SITE . "usersPhotographies" . PATH_SEP); + define('DISABLE_PHP_UPLOAD_EXECUTION', $arraySystemConfiguration['disable_php_upload_execution']); /** * Global definitions, before it was the defines.php file diff --git a/gulliver/system/class.bootstrap.php b/gulliver/system/class.bootstrap.php index ce6c4b9d1..bbf34e800 100644 --- a/gulliver/system/class.bootstrap.php +++ b/gulliver/system/class.bootstrap.php @@ -2964,5 +2964,40 @@ class Bootstrap ); return $aContext; } + + /** + * get DISABLE_PHP_UPLOAD_EXECUTION value defined in env.ini + * @return int + */ + public static function getDisablePhpUploadExecution() + { + $disablePhpUploadExecution = 0; + if (defined("DISABLE_PHP_UPLOAD_EXECUTION")) { + $disablePhpUploadExecution = (int) DISABLE_PHP_UPLOAD_EXECUTION; + } + return $disablePhpUploadExecution; + } + + /** + * Record the action of executing a php file or attempting to upload a php + * file in server. + * @param type $channel + * @param type $level + * @param type $message + * @param type $fileName + */ + public static function registerMonologPhpUploadExecution($channel, $level, $message, $fileName) + { + $context = \Bootstrap::getDefaultContextLog(); + $context['action'] = $channel; + $context['filename'] = $fileName; + if (defined("SYS_CURRENT_URI") && defined("SYS_CURRENT_PARMS")) { + $context['url'] = SYS_CURRENT_URI . '?' . SYS_CURRENT_PARMS; + } + $context['usrUid'] = isset($_SESSION['USER_LOGGED']) ? $_SESSION['USER_LOGGED'] : ''; + $sysSys = defined("SYS_SYS") ? SYS_SYS : "Undefined"; + \Bootstrap::registerMonolog($channel, $level, $message, $context, $sysSys, 'processmaker.log'); + } + } diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index 39e22b3ff..9f934ab16 100644 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -45,19 +45,16 @@ class G /** * is_https - * @return void - */ + * @return bool + */ public static function is_https() { - if (isset($_SERVER['HTTPS'])) { - if ($_SERVER['HTTPS']=='on') { - return true; - } else { - return false; - } - } else { - return false; + $is_http = false; + if ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') || + (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) { + $is_http = true; } + return $is_http; } /** @@ -1244,7 +1241,14 @@ class G if ($download) { G::sendHeaders( $filename, 'text/plain', $download, $downloadFileName ); } else { - require_once ($filename); + if (\Bootstrap::getDisablePhpUploadExecution() === 0) { + \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 200, 'Php Execution', $filename); + require_once ($filename); + } else { + $message = G::LoadTranslation('THE_PHP_FILES_EXECUTION_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 550, $message, $filename); + echo $message; + } return; } break; @@ -5542,16 +5546,24 @@ class G $res->status = false; $allowedTypes = array_map('G::getRealExtension', explode(',', $InpDocAllowedFiles)); + // Get the file extension + $aux = pathinfo($fileName); + $fileExtension = isset($aux['extension']) ? strtolower($aux['extension']) : ''; + + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $fileExtension === 'php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $fileName); + $res->status = false; + $res->message = $message; + return $res; + } + // If required extension is *.* don't validate if (in_array('*', $allowedTypes)) { $res->status = true; return $res; } - // Get the file extension - $aux = pathinfo($fileName); - $fileExtension = isset($aux['extension']) ? strtolower($aux['extension']) : ''; - // If no valid extension finish (unnecesary check file content) $validExtension = in_array($fileExtension, $allowedTypes); if (!$validExtension) { diff --git a/pmos.conf.example b/pmos.conf.example index 5c0fac310..a592ed0bc 100644 --- a/pmos.conf.example +++ b/pmos.conf.example @@ -6,7 +6,7 @@ Options Indexes FollowSymLinks MultiViews - AllowOverride None + AllowOverride All Order allow,deny Allow from all Require all granted diff --git a/workflow/engine/classes/class.case.php b/workflow/engine/classes/class.case.php index e2da9d154..e8e257cde 100644 --- a/workflow/engine/classes/class.case.php +++ b/workflow/engine/classes/class.case.php @@ -5325,7 +5325,7 @@ class Cases $dataLastEmail['configuration'] = $aConfiguration; $dataLastEmail['subject'] = $sSubject; $dataLastEmail['pathEmail'] = $pathEmail; - $dataLastEmail['swtplDeafault'] = $swtplDefault; + $dataLastEmail['swtplDefault'] = $swtplDefault; $dataLastEmail['body'] = $sBody; $dataLastEmail['from'] = $from; break; @@ -5393,7 +5393,7 @@ class Cases $dataLastEmail['configuration'] = $aConfiguration; $dataLastEmail['subject'] = $sSubject; $dataLastEmail['pathEmail'] = $pathEmail; - $dataLastEmail['swtplDeafault'] = $swtplDefault; + $dataLastEmail['swtplDefault'] = $swtplDefault; $dataLastEmail['body'] = $sBody; $dataLastEmail['from'] = $from; break; diff --git a/workflow/engine/classes/class.system.php b/workflow/engine/classes/class.system.php index 73e92bb16..f6d98dea6 100644 --- a/workflow/engine/classes/class.system.php +++ b/workflow/engine/classes/class.system.php @@ -78,7 +78,8 @@ class System 'leave_case_warning' => 0, 'server_hostname_requests_frontend' => '', 'load_headers_ie' => 0, - 'redirect_to_mobile' => 0 + 'redirect_to_mobile' => 0, + 'disable_php_upload_execution' => 0 ); /** diff --git a/workflow/engine/content/translations/english/processmaker.en.po b/workflow/engine/content/translations/english/processmaker.en.po index 1872d7e25..3348bc83e 100644 --- a/workflow/engine/content/translations/english/processmaker.en.po +++ b/workflow/engine/content/translations/english/processmaker.en.po @@ -27419,6 +27419,18 @@ msgstr "External Registration" msgid "Filter By" msgstr "Filter By" +# TRANSLATION +# LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED +#: LABEL/THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED +msgid "The upload of PHP files was disabled please contact the system administrator." +msgstr "The upload of PHP files was disabled please contact the system administrator." + +# TRANSLATION +# LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED +#: LABEL/THE_PHP_FILES_EXECUTION_WAS_DISABLED +msgid "The PHP files execution was disabled please contact the system administrator." +msgstr "The PHP files execution was disabled please contact the system administrator." + # TRANSLATION # LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837 #: LABEL/ID_MAFE_cae0206c31eaa305dd0e847330c5e837 diff --git a/workflow/engine/methods/appFolder/appFolderAjax.php b/workflow/engine/methods/appFolder/appFolderAjax.php index 72926ee81..f1c7f68d7 100644 --- a/workflow/engine/methods/appFolder/appFolderAjax.php +++ b/workflow/engine/methods/appFolder/appFolderAjax.php @@ -1534,6 +1534,18 @@ function uploadExternalDocument() //Read. Instance Document classes if (!empty($quequeUpload)) { + foreach ($quequeUpload as $key => $fileObj) { + $extension = pathinfo($fileObj['fileName'], PATHINFO_EXTENSION); + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extension === 'php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $fileObj['fileName']); + $response['error'] = $message; + $response['message'] = $message; + $response['success'] = false; + print_r(G::json_encode($response)); + exit(); + } + } $docUid=$_POST['docUid']; $appDocUid=isset($_POST['APP_DOC_UID'])?$_POST['APP_DOC_UID']:""; $docVersion=isset($_POST['docVersion'])?$_POST['docVersion']:""; diff --git a/workflow/engine/methods/cases/proxyNewCasesList.php b/workflow/engine/methods/cases/proxyNewCasesList.php index aa2fda729..bf561dc7f 100644 --- a/workflow/engine/methods/cases/proxyNewCasesList.php +++ b/workflow/engine/methods/cases/proxyNewCasesList.php @@ -10,9 +10,6 @@ if (!isset($_SESSION['USER_LOGGED'])) { G::LoadSystem('inputfilter'); $filter = new InputFilter(); -$_GET = $filter->xssFilterHard($_GET); -$_REQUEST = $filter->xssFilterHard($_REQUEST); -$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']); try { $userUid = $_SESSION['USER_LOGGED']; @@ -187,6 +184,7 @@ try { ); $response = array(); + $response['filters'] = $filters; $response['totalCount'] = $list->getCountList($userUid, $filters); $response = $filter->xssFilterHard($response); diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php b/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php index 53ca8677f..0426def6b 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/Cases/InputDocument.php @@ -971,6 +971,16 @@ class InputDocument $aFields = array("APP_UID" => $appUid, "DEL_INDEX" => $delIndex, "USR_UID" => $userUid, "DOC_UID" => -1, "APP_DOC_TYPE" => "ATTACHED", "APP_DOC_CREATE_DATE" => date("Y-m-d H:i:s"), "APP_DOC_COMMENT" => "", "APP_DOC_TITLE" => "", "APP_DOC_FILENAME" => $arrayFileName[$i], "APP_DOC_FIELDNAME" => $fieldName); } + $sExtension = pathinfo($aFields["APP_DOC_FILENAME"]); + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $sExtension["extension"] === 'php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $sFileName); + \G::SendMessageText($message, "ERROR"); + $backUrlObj = explode("sys" . SYS_SYS, $_SERVER['HTTP_REFERER']); + \G::header("location: " . "/sys" . SYS_SYS . $backUrlObj[1]); + die(); + } + $oAppDocument = new \AppDocument(); $oAppDocument->create($aFields); diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php index aa8cd56a1..a949ce0a5 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php @@ -187,6 +187,11 @@ class FilesManager if ($extention == '.exe') { throw new \Exception(\G::LoadTranslation('ID_FILE_UPLOAD_INCORRECT_EXTENSION')); } + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $extention === '.php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $aData['prf_filename']); + throw new \Exception($message); + } break; default: $sDirectory = PATH_DATA_MAILTEMPLATES . $sProcessUID . PATH_SEP . $sSubDirectory . $aData['prf_filename']; diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Light.php b/workflow/engine/src/ProcessMaker/BusinessModel/Light.php index e739eb485..d33c85488 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/Light.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/Light.php @@ -902,6 +902,16 @@ class Light $response = array(); if (is_array($request_data)) { foreach ($request_data as $k => $file) { + $ext = pathinfo($file['name'], PATHINFO_EXTENSION); + if (\Bootstrap::getDisablePhpUploadExecution() === 1 && $ext === 'php') { + $message = \G::LoadTranslation('THE_UPLOAD_OF_PHP_FILES_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpUpload', 550, $message, $file['name']); + $response[$k]['error'] = array( + "code" => "400", + "message" => $message + ); + continue; + } $oCase = new \Cases(); $delIndex = $oCase->getCurrentDelegation($app_uid, $userUid); $docUid = !empty($file['docUid']) ? $file['docUid'] : -1; diff --git a/workflow/public_html/sysGeneric.php b/workflow/public_html/sysGeneric.php index b839b75c7..4c0d5d474 100644 --- a/workflow/public_html/sysGeneric.php +++ b/workflow/public_html/sysGeneric.php @@ -337,6 +337,7 @@ define ('WS_IN_LOGIN', isset($config['WS_IN_LOGIN']) ? $config['WS_IN_LOGIN'] : define('LOAD_HEADERS_IE', $config['load_headers_ie']); define('LEAVE_CASE_WARNING', $config['leave_case_warning']); define('REDIRECT_TO_MOBILE', $config['redirect_to_mobile']); +define('DISABLE_PHP_UPLOAD_EXECUTION', $config['disable_php_upload_execution']); // IIS Compatibility, SERVER_ADDR doesn't exist on that env, so we need to define it. $_SERVER['SERVER_ADDR'] = isset( $_SERVER['SERVER_ADDR'] ) ? $_SERVER['SERVER_ADDR'] : $_SERVER['SERVER_NAME']; @@ -801,6 +802,17 @@ if (substr( SYS_COLLECTION, 0, 8 ) === 'gulliver') { die(); } + Bootstrap::initVendors(); + Bootstrap::LoadSystem( 'monologProvider' ); + if (\Bootstrap::getDisablePhpUploadExecution() === 1) { + $message = \G::LoadTranslation('THE_PHP_FILES_EXECUTION_WAS_DISABLED'); + \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 550, $message, $phpFile); + echo $message; + die(); + } else { + \Bootstrap::registerMonologPhpUploadExecution('phpExecution', 200, 'Php Execution', $phpFile); + } + $avoidChangedWorkspaceValidation = true; $bWE = true; //$phpFile = PATH_DATA_SITE . 'public' . PATH_SEP . SYS_COLLECTION . PATH_SEP . $auxPart[ count($auxPart)-1];