Detaint some user inputs to avoid malicious file inclusion

git-svn-id: http://svn.zoneminder.com/svn/zm/trunk@3483 e3e1d417-86f3-4887-817a-d78f3d33393f
This commit is contained in:
stan 2011-07-22 08:37:01 +00:00
parent a3ef933f2d
commit 6035ed211a
2 changed files with 15 additions and 9 deletions

View File

@ -2350,13 +2350,21 @@ function generateConnKey()
return( rand( 1, 999999 ) );
}
function detaintPath( $path )
{
// Remove any absolute paths, or relative ones that want to go up
$path = preg_replace( '/\.\.\//', '', $path );
$path = preg_replace( '/^\//', '', $path );
return( $path );
}
function getSkinFile( $file )
{
global $skinBase;
$skinFile = false;
foreach ( $skinBase as $skin )
{
$tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
$tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
if ( file_exists( $tempSkinFile ) )
$skinFile = $tempSkinFile;
}
@ -2369,7 +2377,7 @@ function getSkinIncludes( $file, $includeBase=false, $asOverride=false )
$skinFile = false;
foreach ( $skinBase as $skin )
{
$tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
$tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
if ( file_exists( $tempSkinFile ) )
$skinFile = $tempSkinFile;
}

View File

@ -97,10 +97,13 @@ require_once( 'includes/lang.php' );
require_once( 'includes/functions.php' );
if ( isset($_REQUEST['view']) )
$view = validHtmlStr($_REQUEST['view']);
$view = detaintPath($_REQUEST['view']);
if ( isset($_REQUEST['request']) )
$request = detaintPath($_REQUEST['request']);
if ( isset($_REQUEST['action']) )
$action = validHtmlStr($_REQUEST['action']);
$action = detaintPath($_REQUEST['action']);
require_once( 'includes/actions.php' );
@ -109,13 +112,10 @@ foreach ( getSkinIncludes( 'skin.php' ) as $includeFile )
if ( isset( $_REQUEST['request'] ) )
{
$request = validHtmlStr($_REQUEST['request']);
foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile )
{
if ( !file_exists( $includeFile ) )
{
Fatal( "Request '$request' does not exist" );
}
require_once $includeFile;
}
return;
@ -127,9 +127,7 @@ else
foreach ( $includeFiles as $includeFile )
{
if ( !file_exists( $includeFile ) )
{
Fatal( "View '$view' does not exist" );
}
require_once $includeFile;
}
}