From 3214aefb1d37da4e3899fc9f5650b79ea748d4fd Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Wed, 11 Mar 2020 18:09:13 +0530
Subject: [PATCH] Fixes #1254 Kcfinder library cleanup
---
kcfinder/core/browser.php | 3 ++-
kcfinder/core/uploader.php | 16 +++++++++++++++-
kcfinder/js/browser/files.js | 6 +++---
kcfinder/lib/helper_file.php | 14 ++++++++++++--
4 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/kcfinder/core/browser.php b/kcfinder/core/browser.php
index f429fd9c4..e292bf842 100644
--- a/kcfinder/core/browser.php
+++ b/kcfinder/core/browser.php
@@ -262,7 +262,8 @@ class browser extends uploader {
$this->errorMsg($message);
}
- $target = "$dir/" . file::getInexistantFilename($this->file['name'], $dir);
+ $sanitizedFilename = file::sanitizeFileName($this->file['name']);
+ $target = "$dir/" . file::getInexistantFilename($sanitizedFilename, $dir);
if (!@move_uploaded_file($this->file['tmp_name'], $target) &&
!@rename($this->file['tmp_name'], $target) &&
diff --git a/kcfinder/core/uploader.php b/kcfinder/core/uploader.php
index 736708aec..f0aa69458 100644
--- a/kcfinder/core/uploader.php
+++ b/kcfinder/core/uploader.php
@@ -86,6 +86,7 @@ class uploader {
$this->types = &$this->config['types'];
$firstType = array_keys($this->types);
$firstType = $firstType[0];
+ $this->get['type'] = "images"; // to allow images upload only
$this->type = (
isset($this->get['type']) &&
isset($this->types[$this->get['type']])
@@ -202,7 +203,8 @@ class uploader {
if (!is_dir(path::normalize($dir)))
@mkdir(path::normalize($dir), $this->config['dirPerms'], true);
- $target = file::getInexistantFilename("$dir{$file['name']}");
+ $sanitizedFilename = file::sanitizeFileName($file['name']);
+ $target = file::getInexistantFilename("$dir{$sanitizedFilename}");
if (!@move_uploaded_file($file['tmp_name'], $target) &&
!@rename($file['tmp_name'], $target) &&
@@ -290,6 +292,14 @@ class uploader {
if (!$gd->init_error && !$this->imageResize($gd, $file['tmp_name']))
return $this->label("The image is too big and/or cannot be resized.");
+ //sanitization as per Vtiger standard
+ $isValidImage = Vtiger_Functions::validateImage($file);
+ if (is_string($isValidImage))
+ $isValidImage = ($isValidImage == 'false') ? false : true;
+ if (!$isValidImage) {
+ return $this->label("Denied file extension.");
+ }
+
return true;
}
@@ -448,6 +458,10 @@ class uploader {
$CKfuncNum = isset($this->opener['CKEditor']['funcNum'])
? $this->opener['CKEditor']['funcNum'] : 0;
if (!$CKfuncNum) $CKfuncNum = 0;
+ if(!is_numeric($CKfuncNum)){
+ $CKfuncNum = 0; // to prevent xss
+ }
+ $url = addcslashes($url, "'");
header("Content-Type: text/html; charset={$this->charset}");
?><html>
diff --git a/kcfinder/js/browser/files.js b/kcfinder/js/browser/files.js
index 3d8506102..dfcac7efd 100644
--- a/kcfinder/js/browser/files.js
+++ b/kcfinder/js/browser/files.js
@@ -137,14 +137,14 @@ browser.selectFile = function(file, e) {
$('#fileinfo').html(files.length + ' ' + this.label("selected files") + ' (' + size + ')');
else {
var data = $(files[0]).data();
- $('#fileinfo').html(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
+ $('#fileinfo').text(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
}
}
} else {
var data = file.data();
$('.file').removeClass('selected');
file.addClass('selected');
- $('#fileinfo').html(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
+ $('#fileinfo').text(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
}
};
@@ -378,7 +378,7 @@ browser.menuFile = function(file, e) {
html += '<div class="menu">';
$('.file').removeClass('selected');
file.addClass('selected');
- $('#fileinfo').html(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
+ $('#fileinfo').text(data.name + ' (' + this.humanSize(data.size) + ', ' + data.date + ')');
if (this.opener.callBack || this.opener.callBackMultiple) {
html += '<a href="kcact:pick">' + this.label("Select") + '</a>';
if (data.thumb) html +=
diff --git a/kcfinder/lib/helper_file.php b/kcfinder/lib/helper_file.php
index 7facb100b..54ea6955e 100644
--- a/kcfinder/lib/helper_file.php
+++ b/kcfinder/lib/helper_file.php
@@ -196,7 +196,17 @@ class file {
? "$fdir/" . basename($file)
: basename($file));
}
-
+
+ static function sanitizeFileName($filename){
+ $sanitizedFilename = vtlib_purify($filename);
+ $sanitizedFilename = str_replace('/', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace('"', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace("'", "", $sanitizedFilename);
+ $sanitizedFilename = str_replace(' ', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace('=', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace('<', "", $sanitizedFilename);
+ $sanitizedFilename = str_replace('>', "", $sanitizedFilename);
+ return $sanitizedFilename;
+ }
}
-
?>
\ No newline at end of file
--
GitLab