[svn r12381] Added filtering capabilities on zip-file upload (to be extended to other uploads)

Added a "security" section to the administration portal settings panel
19 years ago · 53c4a5f03d
parent 9865331684
commit 53c4a5f03d
3 changed files with 92 additions and 9 deletions
--- a/main/inc/lib/fileUpload.lib.php
+++ b/main/inc/lib/fileUpload.lib.php
@ -77,7 +77,7 @@ function api_replace_parameter($upload_path, $buffer, $param_name="src")
 * replaces "forbidden" characters in a filename string
 *
 * @author - Hugues Peeters <peeters@ipm.ucl.ac.be>
- * @author - René Haentjens, UGent (RH)
+ * @author - Ren<EFBFBD> Haentjens, UGent (RH)
 * @param  - string $filename
 * @param  - string $strict (optional) remove all non-ASCII
 * @return - the cleaned filename
@ -1039,8 +1039,8 @@ function unzip_uploaded_document($uploaded_file, $upload_path, $base_work_dir, $
 */
 function clean_up_files_in_zip($p_event, &$p_header)
 {
-	clean_up_path($p_header['filename']);
-	return 1;
+	$res = clean_up_path($p_header['filename']);
+	return $res;
 }

 //------------------------------------------------------------------------------
@ -1059,15 +1059,80 @@ function clean_up_path(&$path)
 	//split the path in folders and files
    $path_array = explode('/',$path);
    //clean up every foler and filename in the path
+    $val = '';
    foreach($path_array as $key => $val)
 	{
 		//we don't want to lose the dots in ././folder/file (cfr. zipfile)
 		if($path_array[$key]!='.')
 			$path_array[$key] = disable_dangerous_file( replace_dangerous_char($val) );
 	}
-	//join the "cleaned" path
+	//join the "cleaned" path (modified in-place as passed by reference)
 	$path = implode('/',$path_array);
-	return $path;
+	$res = filter_extension($path);
+	return $res;
+}
+
+/**
+ * Check if the file is dangerous, based on extension and/or mimetype.
+ * The list of extensions accepted/rejected can be found from 
+ * api_get_setting('upload_extensions_exclude') and api_get_setting('upload_extensions_include')
+ * @param	string 	filename passed by reference. The filename will be modified if filter rules say so! (you can include path but the filename should look like 'abc.html')
+ * @return	int		0 to skip file in zip extraction, 1 to keep file
+ */
+function filter_extension(&$filename)
+{
+	if(substr($filename,-1)=='/'){return 1;} //authorize directories
+	$blacklist = api_get_setting('upload_extensions_list_type');
+	if($blacklist!='whitelist')//if = blacklist
+	{
+		$extensions = split(';',strtolower(api_get_setting('upload_extensions_blacklist')));
+		$skip = api_get_setting('upload_extensions_skip');
+		$ext = strrchr($filename, ".");		
+		$ext = substr($ext,1);
+		if(empty($ext)){return 1;}//we're in blacklist mode, so accept empty extensions
+		if(in_array(strtolower($ext),$extensions))
+		{
+			if($skip=='true')
+			{
+				return 0;
+			}
+			else
+			{
+				$new_ext = api_get_setting('upload_extensions_replace_by');
+				$filename = str_replace(".".$ext,".".$new_ext,$filename);
+				return 1;
+			}
+		}
+		else
+		{
+			return 1;
+		}
+	}
+	else
+	{
+		$extensions = split(';',strtolower(api_get_setting('upload_extensions_whitelist')));
+		$skip = api_get_setting('upload_extensions_skip');
+		$ext = strrchr($filename, ".");
+		$ext = substr($ext,1);
+		if(empty($ext)){return 1;}//accept empty extensions
+		if(!in_array(strtolower($ext),$extensions))
+		{
+			if($skip=='true')
+			{
+				return 0;
+			}
+			else
+			{
+				$new_ext = api_get_setting('upload_extensions_replace_by');
+				$filename = str_replace(".".$ext,".".$new_ext,$filename);
+				return 1;
+			}
+		}
+		else
+		{
+			return 1;
+		}
+	}
 }

 //------------------------------------------------------------------------------
@ -1815,8 +1880,7 @@ $handle=opendir($path);

 // could be usefull in some cases...
 function remove_accents($string){
-	$string = strtr ( $string, "ÀÁÂÃÄÅàáâãäåÒÓÔÕÖØòóôõöøÈÉÊËèéêëÇçÌÍÎÏìíîïÙÚÛÜùúûüÿÑñ", "AAAAAAaaaaaaOOOOOOooooooEEEEeeeeCcIIIIiiiiUUUUuuuuyNn");
+	$string = strtr ( $string, "<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>", "AAAAAAaaaaaaOOOOOOooooooEEEEeeeeCcIIIIiiiiUUUUuuuuyNn");
 	return $string;
 }
-
 ?>
--- a/main/install/dokeos_main.sql
+++ b/main/install/dokeos_main.sql
@ -492,7 +492,12 @@ INSERT INTO `settings_current` VALUES
 (82, 'service_ppt2lp', 'path_to_lzx', 'textfield', NULL, NULL, '', NULL, NULL, NULL),
 (84, 'service_ppt2lp', 'size', 'radio', NULL, '720x540', '', NULL, NULL, NULL),
 (85, 'wcag_anysurfer_public_pages', NULL, 'radio','Platform','false','PublicPagesComplyToWAITitle','PublicPagesComplyToWAIComment', NULL, NULL),
-(86, 'stylesheets', NULL, 'textfield','stylesheets','default_with_tabs','',NULL, NULL, NULL);
+(86, 'stylesheets', NULL, 'textfield','stylesheets','default_with_tabs','',NULL, NULL, NULL),
+(87, 'upload_extensions_list_type', NULL, 'radio', 'Security', 'blacklist', 'UploadExtensionsListType', 'UploadExtensionsListTypeComment', NULL, NULL),
+(88, 'upload_extensions_blacklist', NULL, 'textfield', 'Security', '', 'UploadExtensionsBlacklist', 'UploadExtensionsBlacklistComment', NULL, NULL),
+(89, 'upload_extensions_whitelist', NULL, 'textfield', 'Security', 'htm;html;jpg;jpeg;gif;png;swf;avi;mpg;mpeg', 'UploadExtensionsWhitelist', 'UploadExtensionsWhitelistComment', NULL, NULL),
+(90, 'upload_extensions_skip', NULL, 'radio', 'Security', 'true', 'UploadExtensionsSkip', 'UploadExtensionsSkipComment', NULL, NULL),
+(91, 'upload_extensions_replace_by', NULL, 'textfield', 'Security', 'dangerous', 'UploadExtensionsReplaceBy', 'UploadExtensionsReplaceByComment', NULL, NULL);


 UNLOCK TABLES;
@ -590,7 +595,11 @@ INSERT INTO `settings_options` VALUES
 (80,'show_email_addresses','true','Yes'),
 (81,'show_email_addresses','false','No'),
 (82,'wcag_anysurfer_public_pages', 'true', 'Yes'),
-(83,'wcag_anysurfer_public_pages', 'false', 'No');
+(83,'wcag_anysurfer_public_pages', 'false', 'No'),
+(84, 'upload_extensions_list_type', 'blacklist', 'Blacklist'),
+(85, 'upload_extensions_list_type', 'whitelist', 'Whitelist'),
+(86, 'upload_extensions_skip', 'true', 'Yes'),
+(87, 'upload_extensions_skip', 'false', 'No');
 UNLOCK TABLES;


--- a/main/install/migrate-db-1.6.x-1.8.0-pre.sql
+++ b/main/install/migrate-db-1.6.x-1.8.0-pre.sql
@ -106,6 +106,12 @@ INSERT INTO settings_current(variable,subkey,type,category,selected_value,title,
 INSERT INTO settings_current(variable,subkey,type,category,selected_value,title,comment,scope,subkeytext) VALUES ('service_ppt2lp', 'size', 'radio', NULL, '720x540', '', NULL, NULL, NULL);
 INSERT INTO settings_current(variable,subkey,type,category,selected_value,title,comment,scope,subkeytext) VALUES ('wcag_anysurfer_public_pages', NULL, 'radio','Platform','false','PublicPagesComplyToWAITitle','PublicPagesComplyToWAIComment', NULL, NULL);
 INSERT INTO settings_current(variable,subkey,type,category,selected_value,title,comment,scope,subkeytext) VALUES ('stylesheets', NULL, 'textfield','stylesheets','default','',NULL, NULL, NULL);
+INSERT INTO settings_current(variable,subkey,type,category,selected_value,title,comment,scope,subkeytext) VALUES ('upload_extensions_list_type', NULL, 'radio', 'Security', 'blacklist', 'UploadExtensionsListType', 'UploadExtensionsListTypeComment', NULL, NULL);
+INSERT INTO settings_current(variable,subkey,type,category,selected_value,title,comment,scope,subkeytext) VALUES ('upload_extensions_blacklist', NULL, 'textfield', 'Security', '', 'UploadExtensionsBlacklist', 'UploadExtensionsBlacklistComment', NULL, NULL);
+INSERT INTO settings_current(variable,subkey,type,category,selected_value,title,comment,scope,subkeytext) VALUES ('upload_extensions_whitelist', NULL, 'textfield', 'Security', 'htm;html;jpg;jpeg;gif;png;swf;avi;mpg;mpeg', 'UploadExtensionsWhitelist', 'UploadExtensionsWhitelistComment', NULL, NULL);
+INSERT INTO settings_current(variable,subkey,type,category,selected_value,title,comment,scope,subkeytext) VALUES ('upload_extensions_skip', NULL, 'radio', 'Security', 'true', 'UploadExtensionsSkip', 'UploadExtensionsSkipComment', NULL, NULL);
+INSERT INTO settings_current(variable,subkey,type,category,selected_value,title,comment,scope,subkeytext) VALUES ('upload_extensions_replace_by', NULL, 'textfield', 'Security', 'txt', 'UploadExtensionsReplaceBy', 'UploadExtensionsReplaceByComment', NULL, NULL);
+

 UPDATE settings_options SET value = 'activity', display_text='HomepageViewActivity' WHERE variable = 'homepage_view' AND value = 'default';
 UPDATE settings_options SET value = '2column', display_text='HomepageView2column' WHERE variable = 'homepage_view' AND value = 'basic_tools_fixed';
@ -132,6 +138,10 @@ INSERT INTO settings_options(variable,value,display_text) VALUES ('show_email_ad
 INSERT INTO settings_options(variable,value,display_text) VALUES ('show_email_addresses','false','No');
 INSERT INTO settings_options(variable,value,display_text) VALUES ('wcag_anysurfer_public_pages', 'true', 'Yes');
 INSERT INTO settings_options(variable,value,display_text) VALUES ('wcag_anysurfer_public_pages', 'false', 'No');
+INSERT INTO settings_options(variable,value,display_text) VALUES ('upload_extensions_list_type', 'blacklist', 'Blacklist');
+INSERT INTO settings_options(variable,value,display_text) VALUES ('upload_extensions_list_type', 'whitelist', 'Whitelist');
+INSERT INTO settings_options(variable,value,display_text) VALUES ('upload_extensions_skip', 'true', 'Yes');
+INSERT INTO settings_options(variable,value,display_text) VALUES ('upload_extensions_skip', 'false', 'No');

 UPDATE course_module SET image = 'links.gif' WHERE image='liens.gif';
 UPDATE course_module SET image = 'members.gif' WHERE image = 'membres.gif';