From 9569b09e1564ce7969e2d26b975da85b01c3eef3 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Tue, 9 Jun 2020 12:56:37 +0530
Subject: [PATCH] File threat for xss attack on end point addressed

---
 modules/Vtiger/helpers/ShowFile.php | 14 +++++++++-----
 vtlib/Vtiger/Functions.php          |  2 +-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/modules/Vtiger/helpers/ShowFile.php b/modules/Vtiger/helpers/ShowFile.php
index 7ac64cc0e..5602fd04d 100644
--- a/modules/Vtiger/helpers/ShowFile.php
+++ b/modules/Vtiger/helpers/ShowFile.php
@@ -21,8 +21,8 @@ class Vtiger_ShowFile_Helper {
 
 		$query = "SELECT vtiger_attachments.* FROM vtiger_attachments
 					INNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid = vtiger_attachments.attachmentsid
-					WHERE vtiger_attachments.attachmentsid=? AND vtiger_attachments.name=? LIMIT 1";
-		$result = $db->pquery($query, array($fid, $encFileName));
+					WHERE vtiger_attachments.attachmentsid=? LIMIT 1";
+		$result = $db->pquery($query, array($fid));
 		if ($result && $db->num_rows($result)) {
 			$resultData	= $db->fetch_array($result);
 			$fileId		= $resultData['attachmentsid'];
@@ -30,7 +30,7 @@ class Vtiger_ShowFile_Helper {
 			$fileName	= $resultData['name'];
             $storedFileName = $resultData['storedname'];
 			$fileType	= $resultData['type'];
-			$sanitizedFileName = sanitizeUploadFileName($fileName, $upload_badext);
+			$sanitizedFileName = decode_html(sanitizeUploadFileName($fileName, $upload_badext));
 
 			/**
 			 * While saving the document applying decode_html to save in DB, but this is not happening for the images
@@ -52,7 +52,7 @@ class Vtiger_ShowFile_Helper {
                     }
                 }
                 if ($isFileExist) {
-                    Vtiger_ShowFile_Helper::show($finalFilePath,$fileType);
+                    Vtiger_ShowFile_Helper::show($finalFilePath,$fileType, $sanitizedFileName);
                 }
             }
 		}
@@ -63,11 +63,15 @@ class Vtiger_ShowFile_Helper {
 	 * @param type $finalFilePath - the proper image folder path
 	 * @param type $fileType - image file type
 	 */
-	static function show($finalFilePath, $fileType) {
+	static function show($finalFilePath, $fileType, $sanitizedFileName=false) {
 		$handle = fopen($finalFilePath, "rb");
 		$contents = fread($handle, filesize($finalFilePath));
 		fclose($handle);
 
+        //added since other than image files we need file names, other wise it downloads with public.php extension which is treated as dangerous
+		if($sanitizedFileName) {
+			header("Content-Disposition: attachment; filename=\"$sanitizedFileName\"");
+		}
 		header("Content-Type: $fileType;charset=UTF-8");
 		echo $contents;
 	}
diff --git a/vtlib/Vtiger/Functions.php b/vtlib/Vtiger/Functions.php
index a1581bb62..4a26983b5 100644
--- a/vtlib/Vtiger/Functions.php
+++ b/vtlib/Vtiger/Functions.php
@@ -1553,7 +1553,7 @@ class Vtiger_Functions {
         $fileId = $imageId;
         $fileName = $imageName;
 		if ($fileId) {
-			$publicUrl = "public.php?fid=$fileId&key=".$fileName;
+			$publicUrl = "public.php?fid=$fileId&key=".md5($fileName);
 		}
 		return $publicUrl;
 	}
-- 
GitLab