diff --git a/kcfinder/core/browser.php b/kcfinder/core/browser.php
index f429fd9c43a28917429fe40506c645ec4ac662cb..e292bf842cfc872c261cd9d67861a0f91257c8b0 100644
--- a/kcfinder/core/browser.php
+++ b/kcfinder/core/browser.php
@@ -262,7 +262,8 @@ class browser extends uploader {
$this->errorMsg($message);
}
- $target = "$dir/" . file::getInexistantFilename($this->file['name'], $dir);
+ $sanitizedFilename = file::sanitizeFileName($this->file['name']);
+ $target = "$dir/" . file::getInexistantFilename($sanitizedFilename, $dir);
if (!@move_uploaded_file($this->file['tmp_name'], $target) &&
!@rename($this->file['tmp_name'], $target) &&
diff --git a/kcfinder/core/uploader.php b/kcfinder/core/uploader.php
index 736708aec6e2dae71c4b59d70b62c2d38f894bcd..f0aa69458cd251c34d31100d21ac48f1db9766dd 100644
--- a/kcfinder/core/uploader.php
+++ b/kcfinder/core/uploader.php
@@ -86,6 +86,7 @@ class uploader {
$this->types = &$this->config['types'];
$firstType = array_keys($this->types);
$firstType = $firstType[0];
+ $this->get['type'] = "images"; // to allow images upload only
$this->type = (
isset($this->get['type']) &&
isset($this->types[$this->get['type']])
@@ -202,7 +203,8 @@ class uploader {
if (!is_dir(path::normalize($dir)))
@mkdir(path::normalize($dir), $this->config['dirPerms'], true);
- $target = file::getInexistantFilename("$dir{$file['name']}");
+ $sanitizedFilename = file::sanitizeFileName($file['name']);
+ $target = file::getInexistantFilename("$dir{$sanitizedFilename}");
if (!@move_uploaded_file($file['tmp_name'], $target) &&
!@rename($file['tmp_name'], $target) &&
@@ -290,6 +292,14 @@ class uploader {
if (!$gd->init_error && !$this->imageResize($gd, $file['tmp_name']))
return $this->label("The image is too big and/or cannot be resized.");
+ //sanitization as per Vtiger standard
+ $isValidImage = Vtiger_Functions::validateImage($file);
+ if (is_string($isValidImage))
+ $isValidImage = ($isValidImage == 'false') ? false : true;
+ if (!$isValidImage) {
+ return $this->label("Denied file extension.");
+ }
+
return true;
}
@@ -448,6 +458,10 @@ class uploader {
$CKfuncNum = isset($this->opener['CKEditor']['funcNum'])
? $this->opener['CKEditor']['funcNum'] : 0;
if (!$CKfuncNum) $CKfuncNum = 0;
+ if(!is_numeric($CKfuncNum)){
+ $CKfuncNum = 0; // to prevent xss
+ }
+ $url = addcslashes($url, "'");
header("Content-Type: text/html; charset={$this->charset}");
?><html>
diff --git a/kcfinder/js/browser/files.js b/kcfinder/js/browser/files.js
index 3d85061029dc6fe3b954769b4523f2415400c1d6..dfcac7efd1a2d7ba7508ac2b02b1d86e859c28a4 100644
--- a/kcfinder/js/browser/files.js
+++ b/kcfinder/js/browser/files.js
@@ -137,14 +137,14 @@ browser.selectFile = function(file, e) {
$('#fileinfo').html(files.length + ' ' + this.label("selected files") + ' (' + size + ')');
else {
var data = $(files[0]).data();
- $('#fileinfo').html(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
+ $('#fileinfo').text(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
}
}
} else {
var data = file.data();
$('.file').removeClass('selected');
file.addClass('selected');
- $('#fileinfo').html(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
+ $('#fileinfo').text(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
}
};
@@ -378,7 +378,7 @@ browser.menuFile = function(file, e) {
html += '<div class="menu">';
$('.file').removeClass('selected');
file.addClass('selected');
- $('#fileinfo').html(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
+ $('#fileinfo').text(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
if (this.opener.callBack || this.opener.callBackMultiple) {
html += '<a href="kcact:pick">' + this.label("Select") + '</a>';
if (data.thumb) html +=
diff --git a/kcfinder/lib/helper_file.php b/kcfinder/lib/helper_file.php
index 7facb100bcc9e66af02d0d97216f94910fdc7fb5..54ea6955e8ec10221810b1def5027a15a54c144c 100644
--- a/kcfinder/lib/helper_file.php
+++ b/kcfinder/lib/helper_file.php
@@ -196,7 +196,17 @@ class file {
? "$fdir/" . basename($file)
: basename($file));
}
-
+
+ static function sanitizeFileName($filename){
+ $sanitizedFilename = vtlib_purify($filename);
+ $sanitizedFilename = str_replace('/', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace('"', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace("'", "", $sanitizedFilename);
+ $sanitizedFilename = str_replace(' ', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace('=', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace('<', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace('>', "", $sanitizedFilename);
+ return $sanitizedFilename;
+ }
}
-
?>
\ No newline at end of file