From 61fafc43f40d66279419aa98b3fa47ee7dbe250a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Thu, 12 Apr 2007 19:47:50 +0000
Subject: [PATCH] =?UTF-8?q?Security:=20Ajout=20test=20pour=20=E9viter=20do?=
 =?UTF-8?q?wnload=20fichier=20hors=20htdocs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 htdocs/document.php  | 19 ++++++++++++++++---
 htdocs/viewimage.php | 17 ++++++++++++++---
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/htdocs/document.php b/htdocs/document.php
index 89fc702a936..8f8f88c8305 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -57,9 +57,9 @@ if (eregi('\.jpg$',$original_file)) 	{ $type='image/jpeg'; $attachment = true; }
 if (eregi('\.png$',$original_file)) 	{ $type='image/jpeg'; $attachment = true; }
 if (eregi('\.tiff$',$original_file)) 	{ $type='image/tiff'; $attachment = true; }
 
-//Suppression de la chaine de caractère ../ dans $original_file
+// Suppression de la chaine de caractère ../ dans $original_file
 $original_file = str_replace("../","/", "$original_file");
-# find the subdirectory name as the reference
+// find the subdirectory name as the reference
 $refname=basename(dirname($original_file)."/");
 
 $accessallowed=0;
@@ -335,12 +335,25 @@ if ($user->societe_id>0)
 	}
 }
 
+// Security:
 // Limite accès si droits non corrects
 if (! $accessallowed)
 {
     accessforbidden();
 }
 
+// Security:
+// On interdit les remontées de repertoire ainsi que les pipe dans 
+// les noms de fichiers.
+if (eregi('\.\.',$original_file) || eregi('[<>|]',$original_file))
+{
+	dolibarr_syslog("Refused to deliver file ".$original_file);
+	// Do no show plain path in shown error message
+	dolibarr_print_error(0,$langs->trans("ErrorFileNameInvalid",$_GET["file"]));
+	exit;
+}
+
+
 
 if ($action == 'remove_file')
 {
@@ -354,7 +367,7 @@ if ($action == 'remove_file')
 
 	if (! file_exists($original_file)) 
 	{
-	    dolibarr_print_error(0,$langs->trans("ErrorFileDoesNotExists",$original_file)); 
+	    dolibarr_print_error(0,$langs->trans("ErrorFileDoesNotExists",$_GET["file"])); 
 	    exit;
 	}
 	unlink($original_file);
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 600667d6f6c..f756163c40e 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -40,8 +40,6 @@ $original_file = urldecode($_GET["file"]);
 $modulepart = urldecode($_GET["modulepart"]);
 $type = urldecode($_GET["type"]);
 
-$filename = basename ($original_file);
-
 
 $accessallowed=0;
 if ($modulepart)
@@ -229,12 +227,25 @@ if ($modulepart)
 
 }
 
+// Security:
 // Limite accès si droits non corrects
 if (! $accessallowed)
 {
     accessforbidden();
 }
 
+// Security:
+// On interdit les remontées de repertoire ainsi que les pipe dans 
+// les noms de fichiers.
+if (eregi('\.\.',$original_file) || eregi('[<>|]',$original_file))
+{
+	dolibarr_syslog("Refused to deliver file ".$original_file);
+	// Do no show plain path in shown error message
+	dolibarr_print_error(0,$langs->trans("ErrorFileNameInvalid",$_GET["file"]));
+	exit;
+}
+
+
 
 // Ouvre et renvoi fichier
 clearstatcache(); 
@@ -244,7 +255,7 @@ dolibarr_syslog("viewimage.php download $original_file $filename content-type=$t
 
 if (! file_exists($original_file))
 {
-	dolibarr_print_error(0,$langs->trans("ErrorFileDoesNotExists",$original_file));
+	dolibarr_print_error(0,$langs->trans("ErrorFileDoesNotExists",$_GET["file"]));
 	exit;
 }