Security fix for MANTIS-4632 (Upload and execution of PHP files) (a71c44e0) · Commits · Composr ecosystem / Composr

_tests/tests/unit_tests/file_security.php

0 → 100644

+63 −0

Original line number	Diff line number	Diff line
		<?php /*

		Composr
		Copyright (c) ocProducts, 2004-2016

		See text/EN/licence.txt for full licencing information.

		*/

		/**
		* @license http://opensource.org/licenses/cpal_1.0 Common Public Attribution License
		* @copyright ocProducts Ltd
		* @package testing_platform
		*/

		/**
		* Composr test case class (unit testing).
		*/
		class file_security_test_set extends cms_test_case
		{
		public function setUp()
		{
		require_code('files2');

		parent::setUp();
		}

		public function testFilenameFixup()
		{
		$tests = array(
		// Not whitelisted
		'foo.example' => ['foo.example', false],

		// Files should be altered to remove double-file-extension
		'foo.php.php.gif' => ['foo-php-php.gif', true],
		'foo.php.bar.gif' => ['foo-php.bar.gif', true],
		'foo.bar.php.gif' => ['foo.bar-php.gif', true],
		'foo.php.gif' => ['foo-php.gif', true],
		'foo.php' => ['foo.php', false], // Blacklisted

		// Files inside directories should be altered to remove double-file-extension
		'x/foo.php.php.gif' => ['x/foo-php-php.gif', true],
		'x/foo.php.bar.gif' => ['x/foo-php.bar.gif', true],
		'x/foo.bar.php.gif' => ['x/foo.bar-php.gif', true],
		'x/foo.php.gif' => ['x/foo-php.gif', true],
		'x/foo.php' => ['x/foo.php', false], // Blacklisted

		// Directories should not be altered to remove double-file-extension
		'foo.php.bar/foo.php.php.gif' => ['foo.php.bar/foo-php-php.gif', true],
		'foo.php.bar/foo.php.bar.gif' => ['foo.php.bar/foo-php.bar.gif', true],
		'foo.php.bar/foo.bar.php.gif' => ['foo.php.bar/foo.bar-php.gif', true],
		'foo.php.bar/foo.php.gif' => ['foo.php.bar/foo-php.gif', true],
		'foo.php.bar/foo.php' => ['foo.php.bar/foo.php', false], // Blacklisted
		);

		foreach ($tests as $from => $_) {
		list($to, $result) = $_;
		$name = $from;
		$this->assertTrue(check_extension($name/changed by reference/, false, null, true) == $result, 'Unexpected return result for ' . $from);
		$this->assertTrue($name == $to, 'Failed $to result for ' . $from . ', got ' . $name . ' but expected ' . $to);
		}
		}
		}

_tests/tests/unit_tests/standard_dir_files.php

+4 −4

Original line number	Diff line number	Diff line
		@@ -61,17 +61,17 @@ class standard_dir_files_test_set extends cms_test_case
		}*/

		$valid_hashes = array(
		'040f254836ecefb94bebc44d91e391eb', // uploads/incoming/.htaccess
		'0e665ce3d0ae5f44e1a6affe3c7f5303', // uploads/*/.htaccess
		'de3253ec2280f4da1a3bc966c113f369', // uploads/incoming/.htaccess
		'e239621b461039678b9096251869efb4', // uploads/*/.htaccess
		'8fbbec6b8fd8a4999a5b07f5ddcf5ea8', // /pages/modules/.htaccess
		'3c3283f2b3f7d57a8bdf38ca126ff678', // data*/images/.htaccess, uploads/.htaccess
		'44c2cb384e8efd1ab789978e00d6ea19', // /pages/html/EN/.htaccess
		'45c31898af89e12147cf987481cae64b', // sources/.htaccess
		'61b32927345080611fa4772255f4a70b', // adminzone/.htaccess
		'b4af30b08914c4a8240106cf7c614034', // themes/*/templates_cached/.htaccess
		'e0cc4033fbb4bf22b3f001bbcae33bfd', // themes/*/templates_cached/.htaccess
		'c1bfa4b9b62eff28d2c697aff749bd76', // Many
		'd565e2958abd06bfac42906ea7b4ea9d', // exports/static/.htaccess
		'd90c4471fc2a552580896dd6dae99df7', // themes//images/.htaccess
		'1be57737eab0844f0d01a6a0adcb4b0f', // themes//images/.htaccess
		'e584f07661e5fee9170ba1df153359ad', // uploads/website_specific/compo.sr/.htaccess
		'ede82ed9879b9d6d011638ca5736bddd', // data_custom/.htaccess
		);

adminzone/pages/modules/admin_cns_emoticons.php

+14 −0

Original line number	Diff line number	Diff line
		@@ -212,6 +212,8 @@ class Module_admin_cns_emoticons extends Standard_crud_module
		{
		post_param_string('test'); // To pick up on max file size exceeded errors

		require_code('files2');

		require_code('images');
		is_plupload(true);

		@@ -239,6 +241,10 @@ class Module_admin_cns_emoticons extends Standard_crud_module

		$_file = zip_entry_name($entry);

		if (!check_extension($_file, false, null, true)) {
		continue;
		}

		if (is_image($_file)) {
		if (file_exists(get_file_base() . '/themes/default/images/emoticons/index.html')) {
		$path = get_custom_file_base() . '/themes/default/images_custom/emoticons__' . basename($_file);
		@@ -286,6 +292,10 @@ class Module_admin_cns_emoticons extends Standard_crud_module
		// Load in file
		$_file = $entry['path'];

		if (!check_extension($_file, false, null, true)) {
		continue;
		}

		if (is_image($_file)) {
		if (file_exists(get_file_base() . '/themes/default/images/emoticons/index.html')) {
		$path = get_custom_file_base() . '/themes/default/images_custom/emoticons__' . basename($_file);
		@@ -303,6 +313,10 @@ class Module_admin_cns_emoticons extends Standard_crud_module
		}
		break;
		default:
		if (!check_extension($file, false, null, true)) {
		break;
		}

		if (is_image($file)) {
		$urls = get_url('', $attach_name, 'themes/default/images_custom');
		$path = $urls[0];

adminzone/pages/modules/admin_cns_multi_moderations.php

+14 −0

Original line number	Diff line number	Diff line
		@@ -189,6 +189,8 @@ class Module_admin_cns_multi_moderations extends Standard_crud_module
		{
		require_lang('dearchive');

		require_code('files2');

		require_code('uploads');
		is_plupload(true);

		@@ -224,6 +226,10 @@ class Module_admin_cns_multi_moderations extends Standard_crud_module

		$filename = zip_entry_name($entry);

		if (!check_extension($filename, false, null, true)) {
		continue;
		}

		if ((strtolower(substr($filename, -4)) == '.txt') && (!should_ignore_file($filename))) {
		$data = '';
		do {
		@@ -253,6 +259,10 @@ class Module_admin_cns_multi_moderations extends Standard_crud_module
		foreach ($directory as $entry) {
		$filename = $entry['path'];

		if (!check_extension($filename, false, null, true)) {
		continue;
		}

		if ((strtolower(substr($filename, -4)) == '.txt') && (!should_ignore_file($filename))) {
		// Load in file
		$_in = tar_get_file($myfile, $entry['path'], false);
		@@ -265,6 +275,10 @@ class Module_admin_cns_multi_moderations extends Standard_crud_module
		}
		break;
		default:
		if (!check_extension($file, false, null, true)) {
		break;
		}

		if (strtolower(substr($file, -4)) == '.txt') {
		$this->_import_stock_response($file, file_get_contents($tmp_name), $target_forum);
		} else {

adminzone/pages/modules/admin_cns_post_templates.php

+14 −0

Original line number	Diff line number	Diff line
		@@ -189,6 +189,8 @@ class Module_admin_cns_post_templates extends Standard_crud_module
		{
		require_lang('dearchive');

		require_code('files2');

		require_code('uploads');
		is_plupload(true);

		@@ -224,6 +226,10 @@ class Module_admin_cns_post_templates extends Standard_crud_module

		$filename = zip_entry_name($entry);

		if (!check_extension($filename, false, null, true)) {
		continue;
		}

		if ((strtolower(substr($filename, -4)) == '.txt') && (!should_ignore_file($filename))) {
		$data = '';
		do {
		@@ -253,6 +259,10 @@ class Module_admin_cns_post_templates extends Standard_crud_module
		foreach ($directory as $entry) {
		$filename = $entry['path'];

		if (!check_extension($filename, false, null, true)) {
		continue;
		}

		if ((strtolower(substr($filename, -4)) == '.txt') && (!should_ignore_file($filename))) {
		// Load in file
		$_in = tar_get_file($myfile, $entry['path'], false);
		@@ -265,6 +275,10 @@ class Module_admin_cns_post_templates extends Standard_crud_module
		}
		break;
		default:
		if (!check_extension($file, false, null, true)) {
		break;
		}

		if (strtolower(substr($file, -4)) == '.txt') {
		$this->_import_stock_response($file, file_get_contents($tmp_name), $target_forum);
		} else {