Issue #550 - filetypes.xml now used by media-manager.

2025-08-02 12:48:26 +02:00 · 2021-04-21 11:51:53 -07:00
parent 4034d4ab0c
commit 098660d38a
4 changed files with 57 additions and 4 deletions
--- a/e107_handlers/media_class.php
+++ b/e107_handlers/media_class.php
@@ -2232,6 +2232,7 @@ class e_media
 			rename("{$filePath}.part", $filePath);
 		}

+
 		return $this->processAjaxImport($filePath, $_REQUEST); 
 		
 	}
@@ -2255,6 +2256,13 @@ class e_media
 		$targetDir = e_IMPORT;
 		$fileName = basename($filePath);

+		if(e107::getFile()->isAllowedType($filePath) !== true)
+		{
+			$this->ajaxUploadLog($filePath, $fileName, filesize($filePath), false, "Unapproved file-type. (".__METHOD__.")");
+			@unlink($filePath);
+			return '{"jsonrpc" : "2.0", "error" : {"code": 120, "message": "Unapproved file-type detected. '.$filePath.'"}, "id" : "id"}';
+		}
+	
 		if(e107::getFile()->isClean($filePath) !== true)
 		{
 			$this->ajaxUploadLog($filePath, $fileName, filesize($filePath), false, "File detected as not clean. (".__METHOD__.")");
--- a/e107_tests/tests/_data/mediaTest/vulnerable.png.svg
+++ b/e107_tests/tests/_data/mediaTest/vulnerable.png.svg
@@ -0,0 +1,9 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+ 
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+<script type="text/javascript">
+alert('This app is probably vulnerable to XSS attacks!');
+</script>
+</svg>
--- a/e107_tests/tests/unit/e_mediaTest.php
+++ b/e107_tests/tests/unit/e_mediaTest.php
@@ -26,6 +26,15 @@
 				$this->fail($e->getMessage());
 			}

+			$filetypesFile = e_SYSTEM."filetypes.xml";
+
+			$content = '<?xml version="1.0" encoding="utf-8"?>
+							<e107Filetypes>
+								<class name="253" type="zip,gz,jpg,jpeg,png,webp,gif,xml,pdf" maxupload="2M" />
+							</e107Filetypes>';
+
+			file_put_contents($filetypesFile, $content);
+
 		}


@@ -80,13 +89,40 @@
 				$json = $this->md->processAjaxImport($file,$var['param']);

 				$result = json_decode($json, JSON_PRETTY_PRINT);
+
 				$this->assertNotFalse($result);
-
 				$this->assertStringEndsWith('/'.basename($var['file']), $result['result']);
-
 				$this->assertNotEmpty($result['preview']);
 			}

+			$refusalTests = array(
+			0 => array(
+						'file'  => codecept_data_dir()."mediaTest/vulnerable.png.svg",
+						'param' => array (
+							  'for' => 'news ',
+							  'w' => '206',
+							  'h' => '190',
+						),
+						'error' => 120
+				),
+			);
+
+			foreach($refusalTests as $index => $var)
+			{
+				$source = $var['file'];
+				$file = e_IMPORT.basename($var['file']);
+				copy($source,$file);
+
+				$json = $this->md->processAjaxImport($file,$var['param']);
+
+				$result = json_decode($json, JSON_PRETTY_PRINT);
+
+				$this->assertNotFalse($result);
+				$this->assertNotEmpty($result['error']);
+				$this->assertNotEmpty($result['error']['code']);
+				$this->assertSame($var['error'], $result['error']['code']);
+			}
+

 		}

--- a/install.php
+++ b/install.php
@@ -1648,7 +1648,7 @@ if($this->pdo == true)
 	{
 		$data = '<?xml version="1.0" encoding="utf-8"?>
 <e107Filetypes>
-	<class name="253" type="zip,gz,jpg,jpeg,png,gif,xml,pdf" maxupload="2M" />
+	<class name="253" type="zip,gz,jpg,jpeg,png,gif,webp,xml,pdf" maxupload="2M" />
 </e107Filetypes>';

 		return file_put_contents($this->e107->e107_dirs['SYSTEM_DIRECTORY']."filetypes.xml",$data);