diff --git a/changes.txt b/changes.txt index 91c3c335..b6c80363 100644 --- a/changes.txt +++ b/changes.txt @@ -8,6 +8,7 @@ Adminer 4.9.0-dev: - Set saving to file as a default export option. - Improve URL and email detection. - Fix AdminerVersionNoverify plugin blocking other plugins to modify HTML head. +- Fix several bugs and security issues in AdminerFileUpload plugin. - Update composer.json. Adminer 4.8.2 (released 2024-03-16): diff --git a/plugins/file-upload.php b/plugins/file-upload.php index af352673..26a8e5e0 100644 --- a/plugins/file-upload.php +++ b/plugins/file-upload.php @@ -1,5 +1,4 @@ and link to the uploaded files from select * @link https://www.adminer.org/plugins/#use @@ -12,9 +11,9 @@ class AdminerFileUpload { var $uploadPath, $displayPath, $extensions; /** - * @param string prefix for uploading data (create writable subdirectory for each table containing uploadable fields) - * @param string prefix for displaying data, null stands for $uploadPath - * @param string regular expression with allowed file extensions + * @param string $uploadPath prefix for uploading data (create writable subdirectory for each table containing uploadable fields) + * @param string|null $displayPath prefix for displaying data, null stands for $uploadPath + * @param string $extensions regular expression with allowed file extensions */ function __construct($uploadPath = "../static/data/", $displayPath = null, $extensions = "[a-zA-Z0-9]+") { $this->uploadPath = $uploadPath; @@ -30,24 +29,56 @@ class AdminerFileUpload { function processInput($field, $value, $function = "") { if (preg_match('~(.*)_path$~', $field["field"], $regs)) { - $table = ($_GET["edit"] != "" ? $_GET["edit"] : $_GET["select"]); - $name = "fields-$field[field]"; - if ($_FILES[$name]["error"] || !preg_match("~(\\.($this->extensions))?\$~", $_FILES[$name]["name"], $regs2)) { + $tableName = ($_GET["edit"] != "" ? $_GET["edit"] : $_GET["select"]); + $fieldName = $field["field"]; + $files = $_FILES["fields"]; + + // Check upload error and file extension. + if ($files["error"][$fieldName] || !preg_match('~\.(' . $this->extensions . ')$~', $files["name"][$fieldName], $regs2)) { return false; } - //! unlink old - $filename = uniqid() . $regs2[0]; - if (!move_uploaded_file($_FILES[$name]["tmp_name"], "$this->uploadPath$table/$regs[1]-$filename")) { + + // Generate random unique file name. + do { + $filename = $this->generateName() . $regs2[0]; + + $targetPath = $this->uploadPath . $this->fsEncode($tableName) . "/" . $this->fsEncode($regs[1]) . "-$filename"; + } while (file_exists($targetPath)); + + // Move file to final destination. + if (!move_uploaded_file($files["tmp_name"][$fieldName], $targetPath)) { return false; } + return q($filename); } } - function selectVal($val, &$link, $field, $original) { - if ($val != "" && preg_match('~(.*)_path$~', $field["field"], $regs)) { - $link = "$this->displayPath$_GET[select]/$regs[1]-$val"; - } + private function fsEncode($value) { + // Encode special filesystem characters. + return strtr($value, [ + '.' => '%2E', + '/' => '%2F', + '\\' => '%5C', + ]); } + private function generateName() + { + $rand = function_exists("random_int") ? "random_int" : "rand"; + + $result = ''; + for ($i = 0; $i < 16; $i++) { + $code = $rand(97, 132); // random ASCII code for a-z and shifted 0-9 + $result .= chr($code > 122 ? $code - 122 + 47 : $code); + } + + return $result; + } + + function selectVal($val, &$link, $field, $original) { + if ($val != "" && preg_match('~(.*)_path$~', $field["field"], $regs)) { + $link = $this->displayPath . "$_GET[select]/$regs[1]-$val"; + } + } }