Fix several bugs and security issues in AdminerFileUpload plugin

changes.txt

@@ -8,6 +8,7 @@ Adminer 4.9.0-dev:
 - Set saving to file as a default export option.
 - Improve URL and email detection.
 - Fix AdminerVersionNoverify plugin blocking other plugins to modify HTML head.
+- Fix several bugs and security issues in AdminerFileUpload plugin.
 - Update composer.json.
 
 Adminer 4.8.2 (released 2024-03-16):

plugins/file-upload.php

@@ -1,5 +1,4 @@
 <?php
-//! delete
 
 /** Edit fields ending with "_path" by <input type="file"> and link to the uploaded files from select
 * @link https://www.adminer.org/plugins/#use
@@ -12,9 +11,9 @@ class AdminerFileUpload {
 	var $uploadPath, $displayPath, $extensions;
 
 	/**
-	* @param string prefix for uploading data (create writable subdirectory for each table containing uploadable fields)
+	* @param string $uploadPath prefix for uploading data (create writable subdirectory for each table containing uploadable fields)
-	* @param string prefix for displaying data, null stands for $uploadPath
+	* @param string|null $displayPath prefix for displaying data, null stands for $uploadPath
-	* @param string regular expression with allowed file extensions
+	* @param string $extensions regular expression with allowed file extensions
 	*/
 	function __construct($uploadPath = "../static/data/", $displayPath = null, $extensions = "[a-zA-Z0-9]+") {
 		$this->uploadPath = $uploadPath;
@@ -30,24 +29,56 @@ class AdminerFileUpload {
 
 	function processInput($field, $value, $function = "") {
 		if (preg_match('~(.*)_path$~', $field["field"], $regs)) {
-			$table = ($_GET["edit"] != "" ? $_GET["edit"] : $_GET["select"]);
+			$tableName = ($_GET["edit"] != "" ? $_GET["edit"] : $_GET["select"]);
-			$name = "fields-$field[field]";
+			$fieldName = $field["field"];
-			if ($_FILES[$name]["error"] || !preg_match("~(\\.($this->extensions))?\$~", $_FILES[$name]["name"], $regs2)) {
+			$files = $_FILES["fields"];
+
+			// Check upload error and file extension.
+			if ($files["error"][$fieldName] || !preg_match('~\.(' . $this->extensions . ')$~', $files["name"][$fieldName], $regs2)) {
 				return false;
 			}
-			//! unlink old
+
-			$filename = uniqid() . $regs2[0];
+			// Generate random unique file name.
-			if (!move_uploaded_file($_FILES[$name]["tmp_name"], "$this->uploadPath$table/$regs[1]-$filename")) {
+			do {
+				$filename = $this->generateName() . $regs2[0];
+
+				$targetPath = $this->uploadPath . $this->fsEncode($tableName) . "/" . $this->fsEncode($regs[1]) . "-$filename";
+			} while (file_exists($targetPath));
+
+			// Move file to final destination.
+			if (!move_uploaded_file($files["tmp_name"][$fieldName], $targetPath)) {
 				return false;
 			}
+
 			return q($filename);
 		}
 	}
 
-	function selectVal($val, &$link, $field, $original) {
+	private function fsEncode($value) {
-		if ($val != "" && preg_match('~(.*)_path$~', $field["field"], $regs)) {
+		// Encode special filesystem characters.
-			$link = "$this->displayPath$_GET[select]/$regs[1]-$val";
+		return strtr($value, [
-		}
+			'.' => '%2E',
+			'/' => '%2F',
+			'\\' => '%5C',
+		]);
 	}
 
+	private function generateName()
+	{
+		$rand = function_exists("random_int") ? "random_int" : "rand";
+
+		$result = '';
+		for ($i = 0; $i < 16; $i++) {
+			$code = $rand(97, 132); // random ASCII code for a-z and shifted 0-9
+			$result .= chr($code > 122 ? $code - 122 + 47 : $code);
+		}
+
+		return $result;
+	}
+
+	function selectVal($val, &$link, $field, $original) {
+		if ($val != "" && preg_match('~(.*)_path$~', $field["field"], $regs)) {
+			$link = $this->displayPath . "$_GET[select]/$regs[1]-$val";
+		}
+	}
 }