Detaint some user inputs to avoid malicious file inclusion
git-svn-id: http://svn.zoneminder.com/svn/zm/trunk@3483 e3e1d417-86f3-4887-817a-d78f3d33393f
This commit is contained in:
parent
a3ef933f2d
commit
6035ed211a
|
@ -2350,13 +2350,21 @@ function generateConnKey()
|
||||||
return( rand( 1, 999999 ) );
|
return( rand( 1, 999999 ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function detaintPath( $path )
|
||||||
|
{
|
||||||
|
// Remove any absolute paths, or relative ones that want to go up
|
||||||
|
$path = preg_replace( '/\.\.\//', '', $path );
|
||||||
|
$path = preg_replace( '/^\//', '', $path );
|
||||||
|
return( $path );
|
||||||
|
}
|
||||||
|
|
||||||
function getSkinFile( $file )
|
function getSkinFile( $file )
|
||||||
{
|
{
|
||||||
global $skinBase;
|
global $skinBase;
|
||||||
$skinFile = false;
|
$skinFile = false;
|
||||||
foreach ( $skinBase as $skin )
|
foreach ( $skinBase as $skin )
|
||||||
{
|
{
|
||||||
$tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
|
$tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
|
||||||
if ( file_exists( $tempSkinFile ) )
|
if ( file_exists( $tempSkinFile ) )
|
||||||
$skinFile = $tempSkinFile;
|
$skinFile = $tempSkinFile;
|
||||||
}
|
}
|
||||||
|
@ -2369,7 +2377,7 @@ function getSkinIncludes( $file, $includeBase=false, $asOverride=false )
|
||||||
$skinFile = false;
|
$skinFile = false;
|
||||||
foreach ( $skinBase as $skin )
|
foreach ( $skinBase as $skin )
|
||||||
{
|
{
|
||||||
$tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
|
$tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
|
||||||
if ( file_exists( $tempSkinFile ) )
|
if ( file_exists( $tempSkinFile ) )
|
||||||
$skinFile = $tempSkinFile;
|
$skinFile = $tempSkinFile;
|
||||||
}
|
}
|
||||||
|
|
|
@ -97,10 +97,13 @@ require_once( 'includes/lang.php' );
|
||||||
require_once( 'includes/functions.php' );
|
require_once( 'includes/functions.php' );
|
||||||
|
|
||||||
if ( isset($_REQUEST['view']) )
|
if ( isset($_REQUEST['view']) )
|
||||||
$view = validHtmlStr($_REQUEST['view']);
|
$view = detaintPath($_REQUEST['view']);
|
||||||
|
|
||||||
|
if ( isset($_REQUEST['request']) )
|
||||||
|
$request = detaintPath($_REQUEST['request']);
|
||||||
|
|
||||||
if ( isset($_REQUEST['action']) )
|
if ( isset($_REQUEST['action']) )
|
||||||
$action = validHtmlStr($_REQUEST['action']);
|
$action = detaintPath($_REQUEST['action']);
|
||||||
|
|
||||||
require_once( 'includes/actions.php' );
|
require_once( 'includes/actions.php' );
|
||||||
|
|
||||||
|
@ -109,13 +112,10 @@ foreach ( getSkinIncludes( 'skin.php' ) as $includeFile )
|
||||||
|
|
||||||
if ( isset( $_REQUEST['request'] ) )
|
if ( isset( $_REQUEST['request'] ) )
|
||||||
{
|
{
|
||||||
$request = validHtmlStr($_REQUEST['request']);
|
|
||||||
foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile )
|
foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile )
|
||||||
{
|
{
|
||||||
if ( !file_exists( $includeFile ) )
|
if ( !file_exists( $includeFile ) )
|
||||||
{
|
|
||||||
Fatal( "Request '$request' does not exist" );
|
Fatal( "Request '$request' does not exist" );
|
||||||
}
|
|
||||||
require_once $includeFile;
|
require_once $includeFile;
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
|
@ -127,9 +127,7 @@ else
|
||||||
foreach ( $includeFiles as $includeFile )
|
foreach ( $includeFiles as $includeFile )
|
||||||
{
|
{
|
||||||
if ( !file_exists( $includeFile ) )
|
if ( !file_exists( $includeFile ) )
|
||||||
{
|
|
||||||
Fatal( "View '$view' does not exist" );
|
Fatal( "View '$view' does not exist" );
|
||||||
}
|
|
||||||
require_once $includeFile;
|
require_once $includeFile;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue