From 1e5d74c29c543807f6322ae5652e68db8aa46412 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Thu, 29 Aug 2019 16:00:55 +0530
Subject: [PATCH] File security with obscurity

---
 data/CRMEntity.php                                | 15 +++++++++------
 modules/Documents/models/Record.php               |  2 +-
 modules/Documents/views/FilePreview.php           |  2 +-
 modules/Emails/actions/DownloadFile.php           |  2 +-
 modules/Vtiger/models/Record.php                  |  2 +-
 .../modules/ModComments/views/FilePreview.php     |  2 +-
 6 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/data/CRMEntity.php b/data/CRMEntity.php
index dc367763c..e36c9cda0 100644
--- a/data/CRMEntity.php
+++ b/data/CRMEntity.php
@@ -186,17 +186,20 @@ class CRMEntity {
 		if ($save_file == 'false') {
 			return false;
 		}
+        
+        $binFile = sanitizeUploadFileName($file_name, $upload_badext);
+
+		$current_id = $adb->getUniqueID("vtiger_crmentity");
 
 		// Check 2
 		$save_file = 'true';
 		//only images are allowed for these modules
 		if ($module == 'Contacts' || $module == 'Products') {
 			$save_file = validateImageFile($file_details);
-		}
-
-		$binFile = sanitizeUploadFileName($file_name, $upload_badext);
-
-		$current_id = $adb->getUniqueID("vtiger_crmentity");
+            $serverFileName = $current_id . "_" . $binFile;
+		} else {
+            $serverFileName = md5($current_id . "_" . $binFile);
+        }
 
 		$filename = ltrim(basename(" " . $binFile)); //allowed filename like UTF-8 characters
 		$filetype = $file_details['type'];
@@ -206,7 +209,7 @@ class CRMEntity {
 		$upload_file_path = decideFilePath();
 
 		// upload the file in server
-		$upload_status = copy($filetmp_name, $upload_file_path . $current_id . "_" . $binFile);
+		$upload_status = copy($filetmp_name, $upload_file_path . $serverFileName);
 		// temporary file will be deleted at the end of request
 
 		if ($save_file == 'true' && $upload_status == 'true') {
diff --git a/modules/Documents/models/Record.php b/modules/Documents/models/Record.php
index 1c12401d9..dc876f54c 100644
--- a/modules/Documents/models/Record.php
+++ b/modules/Documents/models/Record.php
@@ -75,7 +75,7 @@ class Documents_Record_Model extends Vtiger_Record_Model {
 
 			if ($this->get('filelocationtype') == 'I') {
 				$fileName = html_entity_decode($fileName, ENT_QUOTES, vglobal('default_charset'));
-				$savedFile = $fileDetails['attachmentsid']."_".$fileName;
+				$savedFile = md5($fileDetails['attachmentsid']."_".$fileName);
 
 				while(ob_get_level()) {
 					ob_end_clean();
diff --git a/modules/Documents/views/FilePreview.php b/modules/Documents/views/FilePreview.php
index b73f66118..010e1e2b6 100644
--- a/modules/Documents/views/FilePreview.php
+++ b/modules/Documents/views/FilePreview.php
@@ -44,7 +44,7 @@ class Documents_FilePreview_View extends Vtiger_IndexAjax_View {
 
 			if ($recordModel->get('filelocationtype') == 'I') {
 				$fileName = html_entity_decode($fileName, ENT_QUOTES, vglobal('default_charset'));
-				$savedFile = $fileDetails['attachmentsid']."_".$fileName;
+				$savedFile = md5($fileDetails['attachmentsid']."_".$fileName);
 
 				$fileSize = filesize($filePath.$savedFile);
 				$fileSize = $fileSize + ($fileSize % 1024);
diff --git a/modules/Emails/actions/DownloadFile.php b/modules/Emails/actions/DownloadFile.php
index 01aabbbf8..f21b6f040 100644
--- a/modules/Emails/actions/DownloadFile.php
+++ b/modules/Emails/actions/DownloadFile.php
@@ -34,7 +34,7 @@ class Emails_DownloadFile_Action extends Vtiger_Action_Controller {
             $name = $row["name"];
             $filepath = $row["path"];
             $name = decode_html($name);
-            $saved_filename = $attachmentId."_".$name;
+            $saved_filename = md5($attachmentId."_".$name);
             $disk_file_size = filesize($filepath.$saved_filename);
             $filesize = $disk_file_size + ($disk_file_size % 1024);
             $fileContent = fread(fopen($filepath.$saved_filename, "r"), $filesize);
diff --git a/modules/Vtiger/models/Record.php b/modules/Vtiger/models/Record.php
index be7e4fc2b..2433bb897 100644
--- a/modules/Vtiger/models/Record.php
+++ b/modules/Vtiger/models/Record.php
@@ -590,7 +590,7 @@ class Vtiger_Record_Model extends Vtiger_Base_Model {
 			$filePath = $fileDetails['path'];
 			$fileName = $fileDetails['name'];
 			$fileName = html_entity_decode($fileName, ENT_QUOTES, vglobal('default_charset'));
-			$savedFile = $fileDetails['attachmentsid']."_".$fileName;
+			$savedFile = md5($fileDetails['attachmentsid']."_".$fileName);
 			$fileSize = filesize($filePath.$savedFile);
 			$fileSize = $fileSize + ($fileSize % 1024);
 			if (fopen($filePath.$savedFile, "r")) {
diff --git a/pkg/vtiger/modules/ModComments/modules/ModComments/views/FilePreview.php b/pkg/vtiger/modules/ModComments/modules/ModComments/views/FilePreview.php
index c1d312888..6816cbbb2 100644
--- a/pkg/vtiger/modules/ModComments/modules/ModComments/views/FilePreview.php
+++ b/pkg/vtiger/modules/ModComments/modules/ModComments/views/FilePreview.php
@@ -37,7 +37,7 @@ class ModComments_FilePreview_View extends Vtiger_IndexAjax_View {
 			$filePath = $fileDetails['path'];
 			$fileName = $fileDetails['name'];
 			$fileName = html_entity_decode($fileName, ENT_QUOTES, vglobal('default_charset'));
-			$savedFile = $fileDetails['attachmentsid']."_".$fileName;
+			$savedFile = md5($fileDetails['attachmentsid']."_".$fileName);
 
 			$fileSize = filesize($filePath.$savedFile);
 			$fileSize = $fileSize + ($fileSize % 1024);
-- 
GitLab