TheCoreDev/sterivein
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #554 from lovenunu/security-fix

Browse Source 
Security fix
This commit is contained in:
Julien
2014-08-05 08:35:57 +02:00
parent d30dc2c30b 967dbc15d4
commit 6640abc7b6
5 changed files with 83 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/lib/Thelia/Config/I18n/en_US.php
View File

@@ -112,6 +112,7 @@ return array(
'Fax' => 'Fax', 'Fax' => 'Fax',
'Feature value does not match FLOAT format' => 'Feature value does not match FLOAT format', 'Feature value does not match FLOAT format' => 'Feature value does not match FLOAT format',
'File is too large, please retry with a file having a size less than %size%.' => 'File is too large, please retry with a file having a size less than %size%.', 'File is too large, please retry with a file having a size less than %size%.' => 'File is too large, please retry with a file having a size less than %size%.',
'Files with the following extension are not allowed: %extension, please do an archive of the file if you want to upload it' => 'Files with the following extension are not allowed: %extension, please do an archive of the file if you want to upload it',
'First Name' => 'First Name', 'First Name' => 'First Name',
'Firstname' => 'Firstname', 'Firstname' => 'Firstname',
'Fixed Amount Discount' => 'Fixed Amount Discount', 'Fixed Amount Discount' => 'Fixed Amount Discount',
@@ -309,6 +310,7 @@ return array(
'The detailed description.' => 'The detailed description.', 'The detailed description.' => 'The detailed description.',
'The image which replaces an undefined country flag (%file) was not found. Please check unknown-flag-path configuration variable, and check that the image exists.' => 'The image which replaces an undefined country flag (%file) was not found. Please check unknown-flag-path configuration variable, and check that the image exists.', 'The image which replaces an undefined country flag (%file) was not found. Please check unknown-flag-path configuration variable, and check that the image exists.' => 'The image which replaces an undefined country flag (%file) was not found. Please check unknown-flag-path configuration variable, and check that the image exists.',
'The loop name \'%name\' is already defined in %className class' => 'The loop name \'%name\' is already defined in %className class', 'The loop name \'%name\' is already defined in %className class' => 'The loop name \'%name\' is already defined in %className class',
'There\'s a conflict between your file extension "%ext" and the mime type "%mime"' => 'There\'s a conflict between your file extension "%ext" and the mime type "%mime"',
'This brand is online' => 'This brand is online', 'This brand is online' => 'This brand is online',
'This category is online.' => 'This category is online.', 'This category is online.' => 'This category is online.',
'This condition is always true' => 'This condition is always true', 'This condition is always true' => 'This condition is always true',

2
core/lib/Thelia/Config/I18n/fr_FR.php
View File

@@ -112,6 +112,7 @@ return array(
'Fax' => 'Fax', 'Fax' => 'Fax',
'Feature value does not match FLOAT format' => 'valeur de caractéristique n\'est pas un FLOAT', 'Feature value does not match FLOAT format' => 'valeur de caractéristique n\'est pas un FLOAT',
'File is too large, please retry with a file having a size less than %size%.' => 'La taille de ce fichier est trop importante. Merci d\'envoyer des fichier dont la taille est inférieure à %size%.', 'File is too large, please retry with a file having a size less than %size%.' => 'La taille de ce fichier est trop importante. Merci d\'envoyer des fichier dont la taille est inférieure à %size%.',
'Files with the following extension are not allowed: %extension, please do an archive of the file if you want to upload it' => 'Les fichiers avec l\'extension suivante ne sont pas acceptés: %extension, veuillez créer une archive contenant ce fichier si vous voulez l\'envoyer',
'First Name' => 'Prénom', 'First Name' => 'Prénom',
'Firstname' => 'Prénom', 'Firstname' => 'Prénom',
'Fixed Amount Discount' => 'Remise d\'un montant fixe', 'Fixed Amount Discount' => 'Remise d\'un montant fixe',
@@ -309,6 +310,7 @@ return array(
'The detailed description.' => 'La description détaillée', 'The detailed description.' => 'La description détaillée',
'The image which replaces an undefined country flag (%file) was not found. Please check unknown-flag-path configuration variable, and check that the image exists.' => 'L\'image qui remplace un drapeau de pays manquant (%file) n\'a pas été trouvée. Merci de vérifier la variable de configuration unknown-flag-path.', 'The image which replaces an undefined country flag (%file) was not found. Please check unknown-flag-path configuration variable, and check that the image exists.' => 'L\'image qui remplace un drapeau de pays manquant (%file) n\'a pas été trouvée. Merci de vérifier la variable de configuration unknown-flag-path.',
'The loop name \'%name\' is already defined in %className class' => 'La boucle \'%name\' est déjà définir dans la classe %className', 'The loop name \'%name\' is already defined in %className class' => 'La boucle \'%name\' est déjà définir dans la classe %className',
'There\'s a conflict between your file extension "%ext" and the mime type "%mime"' => 'Il y a un conflit entre l\'extension "%ext" et le type mome "%mime" ',
'This brand is online' => 'Cette marque est en ligne', 'This brand is online' => 'Cette marque est en ligne',
'This category is online.' => 'Cette catégorie est en ligne.', 'This category is online.' => 'Cette catégorie est en ligne.',
'This condition is always true' => 'Cette condition est troujours vérifiée', 'This condition is always true' => 'Cette condition est troujours vérifiée',

2
core/lib/Thelia/Config/Resources/config.xml
View File

@@ -137,7 +137,7 @@
<service id="session.listener" class="Thelia\Core\EventListener\SessionListener"> <service id="session.listener" class="Thelia\Core\EventListener\SessionListener">
<tag name="kernel.event_subscriber"/> <tag name="kernel.event_subscriber"/>
</service> </service>
<!-- Archive builders --> <!-- Archive builders -->
<service id="thelia.manager.archive_builder_manager" class="Thelia\Core\FileFormat\Archive\ArchiveBuilderManager"> <service id="thelia.manager.archive_builder_manager" class="Thelia\Core\FileFormat\Archive\ArchiveBuilderManager">

98
core/lib/Thelia/Controller/Admin/FileController.php
View File

@@ -26,6 +26,7 @@ use Thelia\Files\FileModelInterface;
use Thelia\Form\Exception\FormValidationException; use Thelia\Form\Exception\FormValidationException;
use Thelia\Log\Tlog; use Thelia\Log\Tlog;
use Thelia\Model\Lang; use Thelia\Model\Lang;
use Thelia\Tools\MimeTypeTools;
use Thelia\Tools\Rest\ResponseRest; use Thelia\Tools\Rest\ResponseRest;
use Thelia\Tools\URL; use Thelia\Tools\URL;
@@ -56,16 +57,24 @@ class FileController extends BaseAdminController
/** /**
* Manage how a file collection has to be saved * Manage how a file collection has to be saved
* *
* @param int $parentId Parent id owning files being saved * @param int $parentId Parent id owning files being saved
* @param string $parentType Parent Type owning files being saved (product, category, content, etc.) * @param string $parentType Parent Type owning files being saved (product, category, content, etc.)
* @param string $objectType Object type, e.g. image or document * @param string $objectType Object type, e.g. image or document
* @param array $validMimeTypes an array of valid mime types. If empty, any mime type is allowed. * @param array $validMimeTypes an array of valid mime types. If empty, any mime type is allowed.
* * @param array $extBlackList an array of blacklisted extensions.
* @return Response * @return Response
*/ */
public function saveFileAjaxAction($parentId, $parentType, $objectType, $validMimeTypes = array()) public function saveFileAjaxAction(
{ $parentId,
$this->checkAuth(AdminResources::retrieve($parentType), array(), AccessManager::UPDATE); $parentType,
$objectType,
$validMimeTypes = array(),
$extBlackList = array()
) {
if (null !== $response = $this->checkAuth(AdminResources::retrieve($parentType), array(), AccessManager::UPDATE)) {
return $response;
}
$this->checkXmlHttpRequest(); $this->checkXmlHttpRequest();
if ($this->getRequest()->isMethod('POST')) { if ($this->getRequest()->isMethod('POST')) {
@@ -87,26 +96,50 @@ class FileController extends BaseAdminController
return new ResponseRest($message, 'text', 403); return new ResponseRest($message, 'text', 403);
} }
$message = null;
$realFileName = $fileBeingUploaded->getClientOriginalName();
if (! empty($validMimeTypes)) { if (! empty($validMimeTypes)) {
// Check if we have the proper file type
$isValid = false;
$mimeType = $fileBeingUploaded->getMimeType(); $mimeType = $fileBeingUploaded->getMimeType();
if (in_array($mimeType, $validMimeTypes)) { if (!isset($validMimeTypes[$mimeType])) {
$isValid = true;
}
if (! $isValid) {
$message = $this->getTranslator() $message = $this->getTranslator()
->trans( ->trans(
'Only files having the following mime type are allowed: %types%', 'Only files having the following mime type are allowed: %types%',
[ '%types%' => implode(', ', $validMimeTypes)] [ '%types%' => implode(', ', $validMimeTypes)]
); );
return new ResponseRest($message, 'text', 415);
} }
$regex = "#^(.+)\.(".implode("|", $validMimeTypes[$mimeType]).")$#i";
if (!preg_match($regex, $realFileName)) {
$message = $this->getTranslator()
->trans(
"There's a conflict between your file extension \"%ext\" and the mime type \"%mime\"",
[
'%mime' => $mimeType,
'%ext' => $fileBeingUploaded->getClientOriginalExtension()
]
);
}
}
if (!empty($extBlackList)) {
$regex = "#^(.+)\.(".implode("|", $extBlackList).")$#i";
if (preg_match($regex, $realFileName)) {
$message = $this->getTranslator()
->trans(
'Files with the following extension are not allowed: %extension, please do an archive of the file if you want to upload it',
[
'%extension' => $fileBeingUploaded->getClientOriginalExtension(),
]
);
}
}
if ($message !== null) {
return new ResponseRest($message, 'text', 415);
} }
$fileModel = $fileManager->getModelInstance($objectType, $parentType); $fileModel = $fileManager->getModelInstance($objectType, $parentType);
@@ -169,7 +202,16 @@ class FileController extends BaseAdminController
*/ */
public function saveImageAjaxAction($parentId, $parentType) public function saveImageAjaxAction($parentId, $parentType)
{ {
return $this->saveFileAjaxAction($parentId, $parentType, 'image', ['image/jpeg' , 'image/png' ,'image/gif']); return $this->saveFileAjaxAction(
$parentId,
$parentType,
'image',
[
'image/jpeg' => ["jpg", "jpeg"],
'image/png' => ["png"],
'image/gif' => ["gif"],
]
);
} }
/** /**
@@ -182,7 +224,21 @@ class FileController extends BaseAdminController
*/ */
public function saveDocumentAjaxAction($parentId, $parentType) public function saveDocumentAjaxAction($parentId, $parentType)
{ {
return $this->saveFileAjaxAction($parentId, $parentType, 'document'); return $this->saveFileAjaxAction(
$parentId,
$parentType,
'document',
[],
[
"php",
"php3",
"php4",
"php5",
"php6",
"asp",
"aspx",
]
);
} }
/** /**

2
core/lib/Thelia/Tests/Tools/URLTest.php
View File

@@ -10,7 +10,7 @@
/* file that was distributed with this source code. */ /* file that was distributed with this source code. */
/*************************************************************************************/ /*************************************************************************************/
namespace Thelia\Tests\Type; namespace Thelia\Tests\Tools;
use Thelia\Tools\URL; use Thelia\Tools\URL;