From c88fced80ad998bcf52a9a0ed97c34b53f2d65b0 Mon Sep 17 00:00:00 2001
From: Prasad <prasad@vtiger.com>
Date: Mon, 22 Apr 2024 22:11:37 +0530
Subject: [PATCH] Enhanced checkFileAccessIn implementation with relpaths
---
vtlib/Vtiger/Utils.php | 45 ++++++++++++++++++++++++++++++------------
1 file changed, 32 insertions(+), 13 deletions(-)
diff --git a/vtlib/Vtiger/Utils.php b/vtlib/Vtiger/Utils.php
index 772ab948b..d6923a68e 100644
--- a/vtlib/Vtiger/Utils.php
+++ b/vtlib/Vtiger/Utils.php
@@ -121,20 +121,39 @@ class Vtiger_Utils {
$realfilepath = str_replace('\\', '/', $realfilepath);
$rootdirpath = str_replace('\\', '/', $rootdirpath);
- if(stripos($realfilepath, $rootdirpath) !== 0) {
- if($dieOnFail) {
- $a = debug_backtrace();
- $backtrace = 'Traced on '.date('Y-m-d H:i:s')."\n";
- $backtrace .= "FileAccess - \n";
- foreach ($a as $b) {
- $backtrace .= $b['file'] . '::' . $b['function'] . '::' . $b['line'] . '<br>'.PHP_EOL;
- }
- Vtiger_Utils::writeLogFile('fileMissing.log', $backtrace);
- die('Sorry! Attempt to access restricted file.');
- }
- return false;
+ /** Assume not matching. */
+ $ok = false;
+
+ if(stripos($realfilepath, $rootdirpath) === 0) {
+ /** Safe path. */
+ if (is_null($relpaths) || empty($relpaths)) {
+ /** No specific path to check. */
+ $ok = true;
+ } else if (is_array($relpaths)) {
+ /* Check relfilepath against accepted ones. */
+ $relfilepath = str_replace(rtrim($rootdirpath, "/"). "/", "", $realfilepath);
+ foreach ($relpaths as $relpathok) {
+ if (strpos($relfilepath, $relpathok) === 0) {
+ /** found a match - break early. */
+ $ok = true;
+ break;
+ }
+ }
+ }
}
- return true;
+
+ if (!$ok && $dieOnFail) {
+ $a = debug_backtrace();
+ $backtrace = 'Traced on '.date('Y-m-d H:i:s')."\n";
+ $backtrace .= "FileAccess - \n";
+ foreach ($a as $b) {
+ $backtrace .= $b['file'] . '::' . $b['function'] . '::' . $b['line'] . '<br>'.PHP_EOL;
+ }
+ Vtiger_Utils::writeLogFile('fileMissing.log', $backtrace);
+ die('Sorry! Attempt to access restricted file.');
+ }
+
+ return $ok;
}
/**
--
GitLab