Security issues: adding Database::escape_string + Security:check_abs functions

14 years ago · 26a1e8c1eb
parent a062225181
commit 26a1e8c1eb
2 changed files with 27 additions and 20 deletions
--- a/main/inc/lib/events.lib.inc.php
+++ b/main/inc/lib/events.lib.inc.php
@ -194,17 +194,14 @@ function event_access_tool($tool, $id_session=0) {
 * and later again.
 * Doing this twice causes an error, I remove one of them.
 */
-function event_download($doc_url) {
-	global $_user, $_cid;
+function event_download($doc_url) {	
 	$tbl_stats_downloads = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_DOWNLOADS);	
    $doc_url = Database::escape_string($doc_url);

 	$reallyNow = api_get_utc_datetime();
-	if ($_user['user_id']) {
-		$user_id = "'".$_user['user_id']."'";
-	} else {
-		$user_id = "0";
-	}
+	$user_id = "'".api_get_user_id()."'";
+	$_cid = api_get_course_id();
+	
 	$sql = "INSERT INTO $tbl_stats_downloads (
 				 down_user_id,
 				 down_cours_id,
--- a/main/work/downloadfolder.inc.php
+++ b/main/work/downloadfolder.inc.php
@ -65,39 +65,45 @@ if (api_is_allowed_to_edit()) {
 		$querypath = $path;
 	}
 	//search for all files that are not deleted => visibility != 2
-
-	$query = Database::query("SELECT url FROM $tbl_student_publication AS work,$prop_table AS props  WHERE props.tool='work' AND work.id=props.ref AND work.url LIKE 'work".$querypath."/%' AND work.filetype='file' AND props.visibility<>'2'");
+    $querypath = Database::escape_string($querypath);
+	$query = Database::query("SELECT url FROM $tbl_student_publication AS work, $prop_table AS props  
+							  WHERE props.tool='work' AND work.id=props.ref AND work.url LIKE 'work".$querypath."/%' AND work.filetype='file' AND props.visibility<>'2'");
 	//add tem to the zip file
 	while ($not_deleted_file = Database::fetch_assoc($query)) {	//var_dump($sys_course_path.$_course['path'].'/'.$not_deleted_file['url']);exit();
 		$zip_folder->add($sys_course_path.$_course['path'].'/'.$not_deleted_file['url'], PCLZIP_OPT_REMOVE_PATH, $sys_course_path.$_course['path'].'/work'.$remove_dir);
 	}
-}
-
-//for other users, we need to create a zipfile with only visible files and folders
-else {
+} else {
+    //for other users, we need to create a zipfile with only visible files and folders
+    
 	if ($path == '/') {
 		$querypath = ''; // to prevent ...path LIKE '//%'... in query
 	} else {
 		$querypath = $path;
 	}
+	$querypath = Database::escape_string($querypath);
+	
 	//big problem: visible files that are in a hidden folder are included when we do a query for visiblity='v'!!!
 	//so... I do it in a couple of steps:
 	//1st: get all files that are visible in the given path
-	$query = Database::query("SELECT url FROM $tbl_student_publication AS work,$prop_table AS props  WHERE props.tool='work' AND work.id=props.ref AND work.url LIKE 'work".$querypath."/%' AND work.filetype='file' AND props.visibility='1' AND props.lastedit_user_id='".api_get_user_id()."'");
+	$query = Database::query("SELECT url FROM $tbl_student_publication AS work, $prop_table AS props  
+							  WHERE props.tool='work' AND work.id=props.ref AND work.url LIKE 'work".$querypath."/%' AND work.filetype='file' AND props.visibility='1' AND props.lastedit_user_id='".api_get_user_id()."'");
 	//add them to an array
 	$all_visible_files_path = array();
 	while ($all_visible_files = Database::fetch_assoc($query)) {
 		$all_visible_files_path[] = $all_visible_files['url'];
 	}
 	//2nd: get all folders that are invisible in the given path
-	$query2 = Database::query("SELECT url FROM $tbl_student_publication AS work,$prop_table AS props  WHERE props.tool='work' AND work.id=props.ref AND work.url LIKE 'work".$querypath."/%' AND work.filetype='file' AND props.visibility<>'1' AND props.lastedit_user_id='".api_get_user_id()."'");
+	$query2 = Database::query("SELECT url FROM $tbl_student_publication AS work, $prop_table AS props  
+	WHERE props.tool='work' AND work.id=props.ref AND work.url LIKE 'work".$querypath."/%' AND work.filetype='file' AND props.visibility<>'1' AND props.lastedit_user_id='".api_get_user_id()."'");
+	
 	//if we get invisible folders, we have to filter out these results from all visible files we found

 	if (Database::num_rows($query2) > 0) {
 		//add tem to an array
 		while ($invisible_folders = Database::fetch_assoc($query2)) {
 		//3rd: get all files that are in the found invisible folder (these are "invisible" too)
-			$query3 = Database::query("SELECT url FROM $tbl_student_publication AS work,$prop_table AS props  WHERE props.tool='work' AND work.id=props.ref AND work.url LIKE 'work".$invisible_folders['path']."/%' AND work.filetype='file' AND props.visibility='1' AND props.lastedit_user_id='".api_get_user_id()."'");
+			$query3 = Database::query("SELECT url FROM $tbl_student_publication AS work, $prop_table AS props  
+									   WHERE props.tool='work' AND work.id=props.ref AND work.url LIKE 'work".Database::escape_string($invisible_folders['path'])."/%' AND work.filetype='file' AND props.visibility='1' AND props.lastedit_user_id='".api_get_user_id()."'");
 			//add tem to an array
 			while ($files_in_invisible_folder = Database::fetch_assoc($query3)) {
 				$files_in_invisible_folder_path[] = $files_in_invisible_folder['url'];
@ -115,15 +121,19 @@ else {
 		$zip_folder->add($sys_course_path.$_course['path'].'/'.$files_for_zipfile[$i], PCLZIP_OPT_REMOVE_PATH, $sys_course_path.$_course['path'].'/work'.$remove_dir);
 	}
 }//end for other users
+
 //logging
-// launch event
 event_download(basename($path).'.zip (folder)');

 //start download of created file
 $name = basename($path).'.zip';
-DocumentManager::file_send_for_download($temp_zip_file, true, $name);
-@unlink($temp_zip_file);
-exit;
+
+if (Security::check_abs_path($temp_zip_file, $temp_zip_dir.'/')) {
+    DocumentManager::file_send_for_download($temp_zip_file, true, $name);
+    @unlink($temp_zip_file);
+    exit;    
+}
+

 /*	Extra function (only used here) */