Adding check_abs_path when using the DocumentManager::file_send_for_download to prevent downloading unwanted files see #2722

14 years ago · 09b7f334ca
parent cd31a9aa2f
commit 09b7f334ca
13 changed files with 119 additions and 133 deletions
--- a/main/admin/session_export.php
+++ b/main/admin/session_export.php
@ -1,30 +1,6 @@
-<?php // $Id: session_export.php,v 1.1 2006/04/20 09:58:01 elixir_inter Exp $
-/*
-==============================================================================
-	Dokeos - elearning and course management software
-
-	Copyright (c) 2004 Dokeos S.A.
-	Copyright (c) 2003 Ghent University (UGent)
-	Copyright (c) 2001 Universite catholique de Louvain (UCL)
-	Copyright (c) Olivier Brouckaert
-
-	For a full list of contributors, see "credits.txt".
-	The full license can be read in "license.txt".
-
-	This program is free software; you can redistribute it and/or
-	modify it under the terms of the GNU General Public License
-	as published by the Free Software Foundation; either version 2
-	of the License, or (at your option) any later version.
-
-	See the GNU General Public License for more details.
-
-	Contact: Dokeos, 181 rue Royale, B-1000 Brussels, Belgium, info@dokeos.com
-==============================================================================
-*/
+<?php
 /**
-==============================================================================
-*	@package dokeos.admin
-==============================================================================
+*	@package chamilo.admin
 */
 // name of the language file that needs to be included
 $language_file = 'admin';
--- a/main/announcements/download.php
+++ b/main/announcements/download.php
@ -48,7 +48,7 @@ if (is_dir($full_file_name)) {
 	//create the path
 	$document_explorer = api_get_path(WEB_COURSE_PATH).api_get_course_path(); // home course path
 	//redirect
-	header('Location: '.$document_explorer);
+	header('Location: '.$document_explorer); 
 }

 $tbl_announcement_attachment = Database::get_course_table(TABLE_ANNOUNCEMENT_ATTACHMENT);
@ -60,8 +60,11 @@ $sql='SELECT filename FROM '.$tbl_announcement_attachment.'
  	  WHERE path LIKE BINARY "'.$doc_url.'"';

 $result= Database::query($sql);
-$row= Database::fetch_array($result);
-$title = str_replace(' ','_', $row['filename']);
-DocumentManager::file_send_for_download($full_file_name,TRUE, $title);
-exit;
-?>
+if (Database::num_rows($result) > 0) {
+    $row= Database::fetch_array($result);
+    $title = str_replace(' ','_', $row['filename']);
+    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/announcements/')) {  
+        DocumentManager::file_send_for_download($full_file_name,TRUE, $title);
+    }
+}
+exit;
--- a/main/blog/download.php
+++ b/main/blog/download.php
@ -1,4 +1,4 @@
-<?php // $Id: download.php 12218 2007-05-01 18:27:14Z yannoo $
+<?php
 /* For licensing terms, see /license.txt */
 /**
 *	This file is responsible for  passing requested documents to the browser.
@ -9,9 +9,7 @@
 *	@package chamilo.blogs
 */

-/*
-		MAIN CODE
-*/
+/*		MAIN CODE   */

 session_cache_limiter('public');

@ -41,14 +39,13 @@ if (! isset($_course)) {
 $full_file_name = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/blog/'.$doc_url;

 //if the rewrite rule asks for a directory, we redirect to the course view
-if (is_dir($full_file_name))
-{
+if (is_dir($full_file_name)) {
 	//remove last slash if present
 	while ($doc_url{$dul = strlen($doc_url)-1}=='/') $doc_url = substr($doc_url,0,$dul);
 	//create the path
 	$document_explorer = api_get_path(WEB_COURSE_PATH).api_get_course_path(); // home course path
 	//redirect
-	header('Location: '.$document_explorer);
+	header('Location: '.$document_explorer); 
 }

 $tbl_blogs_attachment 	= Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
@ -57,9 +54,11 @@ $tbl_blogs_attachment 	= Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
 event_download($doc_url);

 $sql = 'SELECT filename FROM '.$tbl_blogs_attachment.' WHERE path LIKE BINARY "'.Database::escape_string($doc_url).'"';
-
 $result = Database::query($sql);
-$row 	= Database::fetch_array($result);
-DocumentManager::file_send_for_download($full_file_name,TRUE, $row['filename']);
-exit;
-?>
+if (Database::num_rows($result) > 0) {
+    $row = Database::fetch_array($result);
+    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/blog/')) {    
+        DocumentManager::file_send_for_download($full_file_name, TRUE, $row['filename']);
+    }
+}
+exit;
--- a/main/calendar/download.php
+++ b/main/calendar/download.php
@ -62,9 +62,12 @@ event_download($doc_url);
 $sql='SELECT filename FROM '.$tbl_agenda_attachment.'
  	  WHERE path LIKE BINARY "'.Database::escape_string($doc_url).'"';

-$result= Database::query($sql);
-$row= Database::fetch_array($result);
-$title = str_replace(' ','_', $row['filename']);
-DocumentManager::file_send_for_download($full_file_name,TRUE, $title);
-exit;
-?>
+$result = Database::query($sql);
+$row    = Database::fetch_array($result);
+if (Database::num_rows($result) > 0) {
+    $title = str_replace(' ','_', $row['filename']);
+    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/calendar/')) {
+        DocumentManager::file_send_for_download($full_file_name,TRUE, $title);
+    }
+}
+exit;
--- a/main/conference/api.php
+++ b/main/conference/api.php
@ -223,13 +223,10 @@ else if ($action == "service")
 		DocumentManager::delete_document($_course, $path, $coursePath);
 		echo "<result>OK</result>"; // We have to return something to OpenLaszlo
 	}
-}
-else if ($action == "download")
-{
+} else if ($action == "download") {
 	/*==== DOWNLOAD ====*/
 	//check if the document is in the database
-	if(!DocumentManager::get_document_id($_course,$_REQUEST['file']))
-	{
+	if(!DocumentManager::get_document_id($_course,$_REQUEST['file'])) {
 		//file not found!
 		if ($debug>0) error_log("404 ".$_REQUEST["file"]);
 		header("HTTP/1.0 404 Not Found");
@ -247,7 +244,8 @@ else if ($action == "download")
 	$doc_url = str_replace('../','',$_REQUEST['file']);
 	if ($debug >0) error_log($doc_url);
 	$full_file_name = $coursePath.$doc_url;
-	DocumentManager::file_send_for_download($full_file_name,false);
+    if (Security::check_abs_path($full_file_name, $coursePath.'/')) {
+	   DocumentManager::file_send_for_download($full_file_name,false);
+    }
 	exit;
-}
-?>
+}
--- a/main/course_info/download.php
+++ b/main/course_info/download.php
@ -23,7 +23,7 @@ if (empty($extension) || !file_exists($archive_path.$archive_file)) {
 	exit();
 }

-$extension = strtolower($extension);
+$extension = strtolower($extension); 
 $content_type = '';

 if (in_array($extension, array('xml', 'csv')) && (api_is_platform_admin(true) || api_is_drh())) {
@ -36,13 +36,16 @@ if (empty($content_type)) {
 	api_not_allowed(true);
 }

-header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
-header('Last-Modified: '.gmdate('D, d M Y H:i:s').' GMT');
-header('Cache-Control: public');
-header('Pragma: no-cache');
-
-header('Content-Type: '.$content_type);
-header('Content-Length: '.filesize($archive_path.$archive_file));
-header('Content-Disposition: attachment; filename='.$archive_file);
-
-readfile($archive_path.$archive_file);
+if (Security::check_abs_path($archive_path.$archive_file, $archive_path)) {        
+    header('Expires: Wed, 01 Jan 1990 00:00:00 GMT');
+    header('Last-Modified: '.gmdate('D, d M Y H:i:s').' GMT');
+    header('Cache-Control: public');
+    header('Pragma: no-cache');
+    
+    header('Content-Type: '.$content_type);
+    header('Content-Length: '.filesize($archive_path.$archive_file));
+    header('Content-Disposition: attachment; filename='.$archive_file);
+    readfile($archive_path.$archive_file);
+} else {
+    exit;	
+}
--- a/main/document/document.php
+++ b/main/document/document.php
@ -298,7 +298,9 @@ if (isset($_GET['action']) && $_GET['action'] == 'download') {

    $doc_url = $my_get_id;
    $full_file_name = $base_work_dir.$doc_url;
-    DocumentManager::file_send_for_download($full_file_name, true);
+    if (Security::check_abs_path($full_file_name, $base_work_dir.'/')) {
+        DocumentManager::file_send_for_download($full_file_name, true);
+    }
    exit;
 }

--- a/main/dropbox/dropbox_download.php
+++ b/main/dropbox/dropbox_download.php
@ -75,7 +75,7 @@ if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
 $allowed_to_download = false;

 // Check if the user has sent or received the file.
-$sql = "SELECT * FROM ".$dropbox_cnf['tbl_person']." WHERE file_id='".Database::escape_string($_GET['id'])."' AND user_id='".Database::escape_string($_user['user_id'])."'";
+$sql = "SELECT * FROM ".$dropbox_cnf['tbl_person']." WHERE file_id='".intval($_GET['id'])."' AND user_id='".api_get_user_id()."'";
 $result = Database::query($sql);
 if (Database::num_rows($result) > 0) {
 	$allowed_to_download = true;
@ -88,16 +88,16 @@ if (!$allowed_to_download) {
 	Display :: display_error_message(get_lang('YouAreNotAllowedToDownloadThisFile'));
 	Display::display_footer();
 	exit;
-}
-
-/*		DOWNLOAD THE FILE */
-
-// the user is allowed to download the file
-else {
+} else {    
+    /*      DOWNLOAD THE FILE */    
+    // the user is allowed to download the file
 	$_SESSION['_seen'][$_course['id']][TOOL_DROPBOX][] = intval($_GET['id']);

 	$work = new Dropbox_work($_GET['id']);
 	$path = dropbox_cnf('sysPath') . '/' . $work -> filename; //path to file as stored on server
+    if (!Security::check_abs_path($path, dropbox_cnf('sysPath').'/')) {
+    	exit;
+    }
 	$file = $work->title;
 	require_once api_get_path(LIBRARY_PATH).'document.lib.php';
 	$mimetype = DocumentManager::file_get_mime_type(true);
@ -149,6 +149,16 @@ else {
 }


+//@todo clean this file the code below is useless there are 2 exits in previous conditions ... maybe a bad copy/paste/merge?
+exit;
+
+
+
+
+
+
+
+
 /**
 * Dropbox module for Chamilo
 * handles downloads of files. Direct downloading is prevented because of an .htaccess file in the
@ -237,13 +247,14 @@ else {
 * @package chamilo.dropbox
 */

-/*	INITIALISING VARIABLES */
+//	INITIALISING VARIABLES 
+

 require_once 'dropbox_init.inc.php';	//only call init1 because init2 outputs data
 require_once 'dropbox_class.inc.php';


-/*	AUTHORISATION SECTION */
+//	AUTHORISATION SECTION 

 if (!isset($_user['user_id']) || !$is_course_member) {
    exit();
@ -253,7 +264,7 @@ if ($_GET['mailing']) {
 	getUserOwningThisMailing($_GET['mailing'], $_user['user_id'], '500');
 }

-/*	SANITY CHECKS OF GET DATA & FILE */
+//	SANITY CHECKS OF GET DATA & FILE 

 if (!isset($_GET['id']) || !is_numeric($_GET['id'])) die(get_lang('GeneralError').' (code 501)');

@ -268,7 +279,7 @@ if (!is_file($path)) {
    die(get_lang('GeneralError').' (code 504)');
 }

-/*	SEND HEADERS */
+//	SEND HEADERS

 require_once api_get_path(LIBRARY_PATH).'document.lib.php';
 $mimetype = DocumentManager::file_get_mime_type(true);
@ -317,12 +328,13 @@ header('Content-Description: ' . trim(htmlentities($file)) . "\n");
 header("Content-Transfer-Encoding: binary\n");
 header('Content-Length: ' . filesize($path)."\n" );

-/*	SEND FILE */
+//	SEND FILE 

 $fp = fopen( $path, 'rb');
 fpassthru($fp);
 exit();

+
 /**
 * Found a workaround to another headache that just cropped up tonight.  Apparently Opera 6.1 on Linux (unsure of other versions/platforms) has problems downloading files using the above methods if you have enabled compression via zlib.output_compression in php.ini.
 * It seems that Opera sees that the actual transfer size is less than the size in the "Content-length" header for the download and decides that the transfer was incomplete or corrupted.  It then either continuously retries the download or else leaves you with a corrupted file.
--- a/main/dropbox/dropbox_functions.inc.php
+++ b/main/dropbox/dropbox_functions.inc.php
@ -1071,7 +1071,7 @@ function zip_download($array) {
 	}

 	// create the zip file
-    $name = 'dropboxdownload-'.$_user['user_id'].'-'.mktime().'.zip';
+    $name = 'dropboxdownload-'.api_get_user_id().'-'.mktime().'.zip';
 	$temp_zip_file = $temp_zip_dir.'/'.$name;
 	$zip_folder = new PclZip($temp_zip_file);

@ -1135,7 +1135,7 @@ function zip_download_alternative($files)
 	}

 	// Step 3: create the zip file and add all the files to it
-	$temp_zip_file = $temp_zip_dir.'/dropboxdownload-'.$_user['user_id'].'-'.mktime().'.zip';
+	$temp_zip_file = $temp_zip_dir.'/dropboxdownload-'.api_get_user_id().'-'.mktime().'.zip';
 	$zip_folder = new PclZip($temp_zip_file);
 	foreach ($files as $key => $value) {
 		$zip_folder->add(api_get_path(SYS_COURSE_PATH).$_course['path'].'/temp/'.$value['title'], PCLZIP_OPT_REMOVE_PATH, api_get_path(SYS_COURSE_PATH).$_course['path'].'/temp');
--- a/main/exercice/Hpdownload.php
+++ b/main/exercice/Hpdownload.php
@ -1,34 +1,16 @@
 <?php
-/*
-    DOKEOS - elearning and course management software
-
-    For a full list of contributors, see documentation/credits.html
-
-    This program is free software; you can redistribute it and/or
-    modify it under the terms of the GNU General Public License
-    as published by the Free Software Foundation; either version 2
-    of the License, or (at your option) any later version.
-    See "documentation/licence.html" more details.
-
-    Contact:
-		Dokeos
-		Rue des Palais 44 Paleizenstraat
-		B-1030 Brussels - Belgium
-		Tel. +32 (2) 211 34 56
-*/
-
+/* For licensing terms, see /license.txt */

 /**
 *	This script shows the list of exercises for administrators and students.
-*	@package dokeos.exercise
+*	@package chamilo.exercise
 * 	@author Istvan Mandak
 * 	@version $Id: Hpdownload.php 22201 2009-07-17 19:57:03Z cfasanando $
 */

-
 session_cache_limiter('public');

-include('../inc/global.inc.php');
+require_once '../inc/global.inc.php';
 $this_section=SECTION_COURSES;

 $tbl_document = Database::get_course_table(TABLE_DOCUMENT);
@ -39,13 +21,19 @@ $filename=basename($doc_url);
 // launch event
 //event_download($doc_url);
 if (isset($_course['path'])) {
-	$full_file_name = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document'.Security::remove_XSS($doc_url);
+    $course_path = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';
+	$full_file_name = $course_path.Security::remove_XSS($doc_url);
 } else {
-	$full_file_name = api_get_path(SYS_COURSE_PATH).$cid.'/document'.Security::remove_XSS($doc_url);
+    $course_path = api_get_path(SYS_COURSE_PATH).$cid.'/document';
+	$full_file_name = $course_path.Security::remove_XSS($doc_url);
 }

 if(!is_file($full_file_name)) {
-	exit();
+	exit;
+}
+
+if (!Security::check_abs_path($full_file_name, $course_path.'/')) {
+    exit;   
 }

 $extension=explode('.',$filename);
@ -70,24 +58,21 @@ header('Expires: '.gmdate('D, d M Y H:i:s',time()+10).' GMT');
 header('Last-Modified: '.gmdate('D, d M Y H:i:s',time()+10).' GMT');

 /*
------------------------------------------------------------------------------
 	Dynamic parsing section
 	is activated whenever a user views an html file
 	work in progress
 	- question: we could also parse per line,
 	perhaps this would be faster.
 	($file_content = file($full_file_name) returns file in array)
------------------------------------------------------------------------------
 */

-if($content_type == 'text/html') {
-	include (api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
+if ($content_type == 'text/html') {
+	require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
 	$directory_name = dirname($full_file_name);

 	$dir=str_replace(array('\\',$_configuration['root_sys']."courses/".$_course['path'].'/document'),array('/',''),$directory_name);

-	if($dir[strlen($dir)-1] != '/')
-	{
+	if($dir[strlen($dir)-1] != '/') {
 		$dir.='/';
 	}

@ -112,7 +97,7 @@ if($content_type == 'text/html') {
 	*/


-		$exercicePath = api_get_self();
+    $exercicePath = api_get_self();
  	$exfile = explode('/',$exercicePath);
  	$exfile = $exfile[sizeof($exfile)-1];
  	$exercicePath = substr($exercicePath,0,strpos($exercicePath,$exfile));
--- a/main/forum/download.php
+++ b/main/forum/download.php
@ -63,14 +63,15 @@ event_download($doc_url);
 $sql='SELECT thread_id, forum_id,filename FROM '.$tbl_forum_post.'  f  INNER JOIN '.$tbl_forum_attachment.' a
  	  ON a.post_id=f.post_id WHERE path LIKE BINARY "'.$doc_url.'"';

-$result= Database::query($sql);
-$row= Database::fetch_array($result);
+$result = Database::query($sql);
+$row    = Database::fetch_array($result);

-$forum_thread_visibility=api_get_item_visibility(api_get_course_info($course_code),TOOL_FORUM_THREAD,$row['thread_id']);
-$forum_forum_visibility=api_get_item_visibility(api_get_course_info($course_code),TOOL_FORUM,$row['forum_id']);
+$forum_thread_visibility = api_get_item_visibility(api_get_course_info($course_code),TOOL_FORUM_THREAD,$row['thread_id']);
+$forum_forum_visibility  = api_get_item_visibility(api_get_course_info($course_code),TOOL_FORUM,$row['forum_id']);

 if ($forum_thread_visibility==1 && $forum_forum_visibility==1) {
-	DocumentManager::file_send_for_download($full_file_name,TRUE, $row['filename']);
+    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/forum/')) {
+	   DocumentManager::file_send_for_download($full_file_name,TRUE, $row['filename']);
+    }
 }
-exit;
-?>
+exit;
--- a/main/messages/download.php
+++ b/main/messages/download.php
@ -84,7 +84,9 @@ if (!empty($row_users['group_id'])) {

 $full_file_name = $path_user_info['dir'].'message_attachments/'.$file_url;

-// launch event
-event_download($file_url);
-DocumentManager::file_send_for_download($full_file_name,TRUE, $title);
+if (Security::check_abs_path($full_file_name, $path_user_info['dir'].'message_attachments/')) {
+    // launch event
+    event_download($file_url);
+    DocumentManager::file_send_for_download($full_file_name,TRUE, $title);
+}
 exit;
--- a/main/work/download.php
+++ b/main/work/download.php
@ -12,7 +12,7 @@

 session_cache_limiter('public');

-require '../inc/global.inc.php';
+require_once '../inc/global.inc.php';
 $this_section = SECTION_COURSES;

 require_once api_get_path(LIBRARY_PATH).'document.lib.php';
@ -42,12 +42,14 @@ $tbl_student_publication = Database::get_course_table(TABLE_STUDENT_PUBLICATION)
 // launch event
 event_download($doc_url);

-$sql = 'SELECT title FROM '.$tbl_student_publication.'
-  	  WHERE url LIKE BINARY "'.$doc_url.'"';
+$sql = 'SELECT title FROM '.$tbl_student_publication.'WHERE url LIKE BINARY "'.$doc_url.'"';

 $result = Database::query($sql);
-$row = Database::fetch_array($result);
-$title = str_replace(' ', '_', $row['title']);
-DocumentManager::file_send_for_download($full_file_name, true, $title);
-
-exit;
+if (Database::num_rows($result) > 0) {
+    $row = Database::fetch_array($result);
+    $title = str_replace(' ', '_', $row['title']);
+    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/')) {
+        DocumentManager::file_send_for_download($full_file_name, true, $title);
+    }
+}
+exit;