Webservice: Add filter on PPT filename for remote PPT2LP converter

2 years ago · 7ecc0c9cb0
parent dbab0ccdc0
commit 7ecc0c9cb0
2 changed files with 17 additions and 4 deletions
--- a/main/inc/lib/security.lib.php
+++ b/main/inc/lib/security.lib.php
@ -632,4 +632,14 @@ class Security

        return $prefix.'_sec_token';
    }
+    /**
+     * Sanitize a string, so it can be used in the exec() command without
+     * "jail-breaking" to execute other commands.
+     * @param string $param The string to filter
+     * @return string
+     */
+    public static function sanitizeExecParam(string $param): string
+    {
+        return preg_replace('/[`;&|]/', '', $param);
+    }
 }
--- a/main/webservices/additional_webservices.php
+++ b/main/webservices/additional_webservices.php
@ -29,10 +29,13 @@ function wsConvertPpt($pptData)
        }
    }
    $fileData = $pptData['file_data'];
-    $dataInfo = pathinfo($pptData['file_name']);
-    $fileName = basename($pptData['file_name'], '.'.$dataInfo['extension']);
-    $fullFileName = $pptData['file_name'];
-    $size = $pptData['service_ppt2lp_size'];
+    // Clean filename to avoid hacks. Prevents "&" and ";" to be used in filename, notably
+    $sanitizedFileName = Security::sanitizeExecParam($pptData['file_name']);
+    $dataInfo = pathinfo($sanitizedFileName);
+    $fileName = basename($sanitizedFileName, '.'.$dataInfo['extension']);
+    // Add additional cleaning of .php and .htaccess files
+    $fullFileName = Security::filter_filename($sanitizedFileName);
+    $size = Security::sanitizeExecParam($pptData['service_ppt2lp_size']);
    $w = '800';
    $h = '600';
    if (!empty($size)) {