lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix the noexe must be added for dangerous extension like js and shells

Browse Source
This commit is contained in:
Laurent Destailleur 2019-05-21 13:53:12 +02:00
parent ebf252f8a3
commit f283e24b48
3 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/actions_linkedfiles.inc.php
View File

@ -194,7 +194,7 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave','alpha'))
// Security:
// Disallow file with some extensions. We rename them.
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
if (isAFileWithExecutableContent($filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{
$filenameto.= '.noexe';
}

2
htdocs/core/lib/files.lib.php
View File

@ -1053,7 +1053,7 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
// Security:
// Disallow file with some extensions. We rename them.
// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
{
$file_name.= '.noexe';
}

17
htdocs/core/lib/functions.lib.php
View File

@ -1,4 +1,6 @@
<?php
use PhpOffice\PhpSpreadsheet\NamedRange;
/* Copyright (C) 2000-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2003 Jean-Louis Bergamo <jlb@j1b.org>
* Copyright (C) 2004-2018 Laurent Destailleur <eldy@users.sourceforge.net>
@ -7925,3 +7927,18 @@ function roundUpToNextMultiple($n, $x=5)
{
return (ceil($n)%$x === 0) ? ceil($n) : round(($n+$x/2)/$x)*$x;
}
/**
* Return if a file can contains executable content
*
* @param string $filename File NamedRange
* @return boolean True if yes, False if no
*/
function isAFileWithExecutableContent($filename)
{
if (preg_match('/\.(htm|html|js|php|phtml|pl|py|cgi|ksh|sh|bash)$/i', $filename))
{
return true;
}
return false;
}