Merge remote-tracking branch 'upstream/preprodparkur' into ofaj

main/inc/lib/security.lib.php

@@ -583,4 +583,23 @@ class Security
 
         return $output;
     }
+
+    private static function generateSecTokenVariable(string $prefix = ''): string
+    {
+        if (empty($prefix)) {
+            return 'sec_token';
+        }
+
+        return $prefix.'_sec_token';
+    }
+    /**
+     * Sanitize a string, so it can be used in the exec() command without
+     * "jail-breaking" to execute other commands.
+     * @param string $param The string to filter
+     * @return string
+     */
+    public static function sanitizeExecParam(string $param): string
+    {
+        return preg_replace('/[`;&|]/', '', $param);
+    }
 }

main/webservices/additional_webservices.php

@@ -27,10 +27,13 @@ function wsConvertPpt($pptData)
         }
     }
     $fileData = $pptData['file_data'];
-    $dataInfo = pathinfo($pptData['file_name']);
-    $fileName = basename($pptData['file_name'], '.'.$dataInfo['extension']);
-    $fullFileName = $pptData['file_name'];
-    $size = $pptData['service_ppt2lp_size'];
+    // Clean filename to avoid hacks. Prevents "&" and ";" to be used in filename, notably
+    $sanitizedFileName = Security::sanitizeExecParam($pptData['file_name']);
+    $dataInfo = pathinfo($sanitizedFileName);
+    $fileName = basename($sanitizedFileName, '.'.$dataInfo['extension']);
+    // Add additional cleaning of .php and .htaccess files
+    $fullFileName = Security::filter_filename($sanitizedFileName);
+    $size = Security::sanitizeExecParam($pptData['service_ppt2lp_size']);
     $w = '800';
     $h = '600';
     if (!empty($size)) {