From fbbcec2ba3e1346202c50a74a553296568270fb6 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 10 Mar 2017 14:04:06 +0100 Subject: [PATCH 1/2] FIX #6444 --- htdocs/core/lib/files.lib.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 337b0fdc460..664c2e0a03d 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -1066,7 +1066,7 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable } // Security: - // On interdit fichiers caches, remontees de repertoire ainsi que les pipes dans les noms de fichiers. + // We refuse cache files/dirs, upload using .. and pipes into filenames. if (preg_match('/^\./',$src_file) || preg_match('/\.\./',$src_file) || preg_match('/[<>|]/',$src_file)) { dol_syslog("Refused to deliver file ".$src_file, LOG_WARNING); @@ -1150,6 +1150,14 @@ function dol_delete_file($file,$disableglob=0,$nophperrors=0,$nohook=0,$object=n dol_syslog("dol_delete_file file=".$file." disableglob=".$disableglob." nophperrors=".$nophperrors." nohook=".$nohook); + // Security: + // We refuse cache files/dirs, upload using .. and pipes into filenames. + if (preg_match('/^\./',$file) || preg_match('/\.\./',$file) || preg_match('/[<>|]/',$file)) + { + dol_syslog("Refused to delete file ".$file, LOG_WARNING); + return False; + } + if (empty($nohook)) { $hookmanager->initHooks(array('fileslib')); From 277fa7dbe16fe37fc1f3553bb844276ec4a8ac91 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 10 Mar 2017 14:08:53 +0100 Subject: [PATCH 2/2] FIX #6444 --- htdocs/core/lib/files.lib.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index 664c2e0a03d..c7cc2687463 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -1139,6 +1139,7 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable * @param int $nohook Disable all hooks * @param object $object Current object in use * @return boolean True if no error (file is deleted or if glob is used and there's nothing to delete), False if error + * @see dol_delete_dir */ function dol_delete_file($file,$disableglob=0,$nophperrors=0,$nohook=0,$object=null) { @@ -1151,8 +1152,8 @@ function dol_delete_file($file,$disableglob=0,$nophperrors=0,$nohook=0,$object=n dol_syslog("dol_delete_file file=".$file." disableglob=".$disableglob." nophperrors=".$nophperrors." nohook=".$nohook); // Security: - // We refuse cache files/dirs, upload using .. and pipes into filenames. - if (preg_match('/^\./',$file) || preg_match('/\.\./',$file) || preg_match('/[<>|]/',$file)) + // We refuse transversal using .. and pipes into filenames. + if (preg_match('/\.\./',$file) || preg_match('/[<>|]/',$file)) { dol_syslog("Refused to delete file ".$file, LOG_WARNING); return False; @@ -1222,9 +1223,18 @@ function dol_delete_file($file,$disableglob=0,$nophperrors=0,$nohook=0,$object=n * @param string $dir Directory to delete * @param int $nophperrors Disable all PHP output errors * @return boolean True if success, false if error + * @see dol_delete_file */ function dol_delete_dir($dir,$nophperrors=0) { + // Security: + // We refuse transversal using .. and pipes into filenames. + if (preg_match('/\.\./',$dir) || preg_match('/[<>|]/',$dir)) + { + dol_syslog("Refused to delete dir ".$dir, LOG_WARNING); + return False; + } + $dir_osencoded=dol_osencode($dir); return ($nophperrors?@rmdir($dir_osencoded):rmdir($dir_osencoded)); }