mirror/php-ifm
1
0
Fork 0
mirror of https://github.com/misterunknown/ifm.git synced 2025-08-09 17:46:31 +02:00
Code Issues Releases Wiki Activity

Security fix: Don't follow locations for remote upload by default.

Browse Source
This commit is contained in:
Marco Dickert
2024-01-27 00:18:58 +01:00
parent 3c2359264e
commit 29e645e114
1 changed files with 22 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/main.php
View File

@@ -47,7 +47,8 @@ class IFM {
"extract" => 1, "extract" => 1,
"upload" => 1, "upload" => 1,
"remoteupload" => 1, "remoteupload" => 1,
"remoteupload_disable_ssrf_check" => 0, "remoteupload_disable_ssrf_check" => 0, // security default
"remoteupload_enable_follow_location" => 0, // security default
"rename" => 1, "rename" => 1,
"zipnload" => 1, "zipnload" => 1,
"createarchive" => 1, "createarchive" => 1,
@@ -834,42 +835,52 @@ f00bar;
$filename = (isset($d['filename']) && $d['filename'] != "") ? $d['filename'] : "curl_".uniqid(); $filename = (isset($d['filename']) && $d['filename'] != "") ? $d['filename'] : "curl_".uniqid();
$ch = curl_init(); $ch = curl_init();
if ($ch) { if ($ch) {
if ($this->isFilenameValid($filename) == false) if ($this->isFilenameValid($filename) == false) {
throw new IFMException($this->l('invalid_filename')); throw new IFMException($this->l('invalid_filename'));
else { } else {
$fp = fopen($filename, "w"); $fp = fopen($filename, "w");
if ($fp) { if ($fp) {
if ( if (
!curl_setopt($ch, CURLOPT_URL, urldecode($d['url'])) !curl_setopt($ch, CURLOPT_URL, urldecode($d['url']))
|| !curl_setopt($ch, CURLOPT_FILE, $fp) || !curl_setopt($ch, CURLOPT_FILE, $fp)
|| !curl_setopt($ch, CURLOPT_HEADER, 0) || !curl_setopt($ch, CURLOPT_HEADER, 0)
|| !curl_setopt($ch, CURLOPT_FOLLOWLOCATION, !!$this->config['remoteupload_enable_follow_location'])
|| !curl_exec($ch) || !curl_exec($ch)
) ) {
throw new IFMException($this->l('error')." ".curl_error($ch)); throw new IFMException($this->l('error')." ".curl_error($ch));
else } else {
return ["status" => "OK", "message" => $this->l('file_upload_success')]; return ["status" => "OK", "message" => $this->l('file_upload_success')];
}
curl_close($ch); curl_close($ch);
fclose($fp); fclose($fp);
} else } else {
throw new IFMException($this->l('file_open_error')); throw new IFMException($this->l('file_open_error'));
} }
} else }
} else {
throw new IFMException($this->l('error')." curl init"); throw new IFMException($this->l('error')." curl init");
}
} elseif ($d['method'] == 'file') { } elseif ($d['method'] == 'file') {
$filename = (isset($d['filename']) && $d['filename'] != "") ? $d['filename'] : "curl_".uniqid(); $filename = (isset($d['filename']) && $d['filename'] != "") ? $d['filename'] : "curl_".uniqid();
if ($this->isFilenameValid($filename) == false) if ($this->isFilenameValid($filename) == false) {
throw new IFMException($this->l('invalid_filename')); throw new IFMException($this->l('invalid_filename'));
else { } else {
try { try {
file_put_contents($filename, file_get_contents($d['url'])); $stream_context = stream_context_create([
'http' => [
'follow_location' => !!$this->config['remoteupload_enable_follow_location']
]
]);
file_put_contents($filename, file_get_contents($d['url'], false, $stream_context));
return ["status" => "OK", "message" => $this->l('file_upload_success')]; return ["status" => "OK", "message" => $this->l('file_upload_success')];
} catch (Exception $e) { } catch (Exception $e) {
throw new IFMException($this->l('error') . " " . $e->getMessage()); throw new IFMException($this->l('error') . " " . $e->getMessage());
} }
} }
} else } else {
throw new IFMException($this->l('invalid_params')); throw new IFMException($this->l('invalid_params'));
} }
}
private function createArchive($d) { private function createArchive($d) {
if ($this->config['createarchive'] != 1) if ($this->config['createarchive'] != 1)