Unverified Commit 6ca9a0e7 authored by Cédric Anne's avatar Cédric Anne Committed by GitHub
Browse files

Merge pull request from GHSA-rm52-jx9h-rwcp

- Prevent removal of any plugin file from unauthenticated user
- Prevent access to files outside plugins directories
- Prevent access to files from inactive plugins
- Limit access to images and fix content-type
- Add changelog entry
parent f021f1f3
......@@ -10,6 +10,7 @@ The present file will list all changes made to the project; according to the
#### Removed
- Ability to use SQL expressions as string in criterion values in SQL iterator (replaced by usage of `QueryExpression`).
- Ability to delete a plugin image using `/front/pluginimage.send.php` script.
## [9.5.1] 2020-07-16
......
......@@ -43,34 +43,36 @@ use Glpi\Event;
include ('../inc/includes.php');
if (!isset($_GET["name"]) || !isset($_GET["plugin"])) {
if (!isset($_GET["name"]) || !isset($_GET["plugin"]) || !Plugin::isPluginActive($_GET["plugin"])) {
Event::log("-1", "system", 2, "security",
//TRANS: %s is user name
sprintf(__('%s makes a bad usage.'), $_SESSION["glpiname"]));
die("security");
}
$dir = GLPI_PLUGIN_DOC_DIR."/".$_GET["plugin"]."/";
$filepath = $dir.$_GET["name"];
if ((basename($_GET["name"]) != $_GET["name"])
|| (basename($_GET["plugin"]) != $_GET["plugin"])) {
|| (basename($_GET["plugin"]) != $_GET["plugin"])
|| !Toolbox::startsWith(realpath($filepath), realpath(GLPI_PLUGIN_DOC_DIR))
|| !Document::isImage($filepath)) {
Event::log("-1", "system", 1, "security",
sprintf(__('%s tries to use a non standard path.'), $_SESSION["glpiname"]));
die("security");
}
$Path = GLPI_PLUGIN_DOC_DIR."/".$_GET["plugin"]."/";
// Now send the file with header() magic
header("Expires: Sun, 30 Jan 1966 06:30:00 GMT");
header('Pragma: private'); /// IE BUG + SSL
header('Cache-control: private, must-revalidate'); /// IE BUG + SSL
header('Content-disposition: filename="' . $_GET["name"] . '"');
header("Content-type: image/png");
if (file_exists($Path.$_GET["name"])) {
readfile($Path.$_GET["name"]);
if (isset($_GET["clean"])) {
unlink($Path.$_GET["name"]);
}
if (file_exists($filepath)) {
header("Content-type: " . Toolbox::getMime($filepath));
readfile($filepath);
} else {
header("Content-type: image/png");
readfile($CFG_GLPI['root_doc'] . "/pics/warning.png");
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment