spacepaste

Paste details

reply | raw

  1.  
  2. --- before_compose.php 2018-03-15 14:46:42.000000000 +0200
  3. +++ after_compose.php 2018-03-15 14:46:38.000000000 +0200
  4. @@ -147,6 +147,62 @@
  6. /* --------------------- Specific Functions ------------------------------ */
  8. +/*
  9. +Validate the user input 'attachments'.
  10. +If the input is ok, don't do anything.
  11. +If the attachment's file name is in an unexpected format, empty the attachments.
  12. +*/
  13. +function validateAttachments() {
  14. +
  15. + global $username, $attachment_dir, $attachments;
  16. +
  17. + // no attachments - nothing to validate
  18. + if (empty($attachments))
  19. + {
  20. + return;
  21. + }
  22. +
  23. + // get the Messages array
  24. + $attach_arr = unserialize($attachments);
  25. +
  26. + if (empty($attach_arr) || !is_array($attach_arr))
  27. + {
  28. + return;
  29. + }
  30. +
  31. + $hashed_attachment_dir = realpath(getHashedDir($username, $attachment_dir));
  32. +
  33. + /*
  34. + For each attachment (of type Message), verify:
  35. + 1. That after calling realpath(), we are in the attachment directory.
  36. + 2. That the file name is 32 characters long (a fixed length used for attachments).
  37. + 3. That the file has no extension.
  38. +
  39. + Notes: The attachment file name is a random 32-long string.
  40. + The attachments directory contains other types of files as well,
  41. + but they either have an exention or are not 32-characters long.
  42. + */
  43. + foreach ($attach_arr as $attach_msg_obj)
  44. + {
  45. + $received_file_name = $attach_msg_obj->att_local_name;
  46. + $full_path = realpath($hashed_attachment_dir . '/' . $received_file_name);
  47. +
  48. + $path_parts = pathinfo($full_path);
  49. + $file_name = $path_parts['basename'];
  50. +
  51. + if ((substr($full_path, 0, strlen($hashed_attachment_dir)) != $hashed_attachment_dir) or
  52. + (strlen($file_name) != 32) or
  53. + ($path_parts['extension'] != ""))
  54. + {
  55. + $attachments = '';
  56. + return;
  57. + }
  58. + }
  59. +
  60. + return;
  61. +}
  62. +
  63. +
  64. function replyAllString($header) {
  65. global $include_self_reply_all, $username, $data_dir;
  66. $excl_ar = array();
  67. @@ -287,6 +343,8 @@
  68. }
  69. /* ----------------------------------------------------------------------- */
  71. +validateAttachments();
  72. +
  73. /*
  74. * If the session is expired during a post this restores the compose session
  75. * vars.
  76. @@ -1745,4 +1803,3 @@
  77. }
  78. return $succes;
  79. }
  80. -
  81.  
Powered by spacepaste. Paste removal.