Skip to content

Commit 8c82b8a

Browse files
RussHRussH
authored
Security fixes (#534)
* Security fixes resolves malicious upload vulnerability and commits the submitted patch for unsafe deserialisation. * Create .htaccess * Update .htaccess * Create .htaccess
1 parent c49a2f4 commit 8c82b8a

File tree

5 files changed

+45
-22
lines changed

5 files changed

+45
-22
lines changed

.gitignore

+2
Original file line numberDiff line numberDiff line change
@@ -10,3 +10,5 @@ temp/*
1010
# Ignore Mac DS_Store files
1111
.DS_Store
1212
/vendor/
13+
*.diff
14+
*.rej

.htaccess

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
2+
IndexIgnore *
3+
4+
Options -Indexes

attachments/.htaccess

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .pl .py .js .jsp .asp .htm .html .$
2+
3+
Options -ExecCGI -Indexes
4+
5+
#grant access only if uploading a word-processing or image format
6+
<FilesMatch "(?i)\.(pdf|docx?|rtf|odt?g?|txt|wpd|jpe?g|png|csv|xlsx?|ppt|msg|heic|tiff?|html?|bmp|wps|xps)$">
7+
Require all granted
8+
</FilesMatch>

lib/DataGrid.php

+21-21
Original file line numberDiff line numberDiff line change
@@ -256,7 +256,7 @@ public static function get($indentifier, $parameters, $misc = 0)
256256

257257
if ($index = 'exportIDs')
258258
{
259-
$parameters['exportIDs'] = unserialize(urldecode($parameters['exportIDs']));
259+
$parameters['exportIDs'] = json_decode(urldecode($parameters['exportIDs']), true);
260260
}
261261
}
262262
}
@@ -269,7 +269,7 @@ public static function get($indentifier, $parameters, $misc = 0)
269269

270270
if (isset($indentifierParts[2]))
271271
{
272-
$misc = unserialize($indentifierParts[2]);
272+
$misc = json_decode($indentifierParts[2], true);
273273
}
274274

275275
if (!file_exists(sprintf('modules/%s/dataGrids.php', $module)))
@@ -298,7 +298,7 @@ public static function getFromRequest()
298298
}
299299

300300
$indentifier = $_REQUEST['i'];
301-
$parameters = unserialize($_REQUEST['p']);
301+
$parameters = json_decode($_REQUEST['p'], true);
302302

303303
return self::get($indentifier, $parameters);
304304
}
@@ -318,7 +318,7 @@ public static function getRecentParamaters($indentifier, $misc = 0)
318318
{
319319
if ($misc != 0)
320320
{
321-
$indentifier .= ':' . serialize($misc);
321+
$indentifier .= ':' . json_encode($misc);
322322
}
323323

324324
return $_SESSION['CATS']->getDataGridParameters($indentifier);
@@ -352,7 +352,7 @@ public function getMiscArgument()
352352

353353
if (isset($instanceParts[2]))
354354
{
355-
return unserialize($instanceParts[2]);
355+
return json_decode($instanceParts[2], true);
356356
}
357357
else
358358
{
@@ -375,13 +375,13 @@ public function __construct($instanceName, $parameters, $misc = 0)
375375

376376
if ($misc != 0)
377377
{
378-
$this->_instanceName .= ':'.serialize($misc);
378+
$this->_instanceName .= ':'.json_encode($misc);
379379
}
380380

381381
/* Allow _GET to override the supplied parameters array */
382382
if (isset($_GET['parameters' . $this->_instanceName]))
383383
{
384-
$this->_parameters = unserialize($_GET['parameters' . $this->_instanceName]);
384+
$this->_parameters = json_decode($_GET['parameters' . $this->_instanceName], true);
385385
}
386386
else
387387
{
@@ -726,7 +726,7 @@ public function drawRowsPerPageSelector()
726726
$newParameterArray['maxResults'] = '<dynamic>';
727727

728728
$requestString = $this->_getUnrelatedRequestString();
729-
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(serialize($newParameterArray));
729+
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(json_encode($newParameterArray));
730730

731731
echo sprintf(
732732
'<select id="rowsPerPageSelector%s" onchange="document.location.href=\'%s?%s&dynamicArgument%s=\' + this.value;" class="selectBox">%s',
@@ -1731,7 +1731,7 @@ public function draw($noOverflow = false)
17311731
$data['name'],
17321732
$md5InstanceName,
17331733
$md5InstanceName,
1734-
urlencode(serialize($newParameterArray)),
1734+
urlencode(json_encode($newParameterArray)),
17351735
urlencode($this->_getUnrelatedRequestString())
17361736
);
17371737
}
@@ -2001,7 +2001,7 @@ public function getInnerActionAreaItem($actionTitle, $actionURL, $allowAll = tru
20012001
md5($this->_instanceName),
20022002
$actionURL,
20032003
urlencode($this->_instanceName),
2004-
urlencode(serialize($newParameterArraySelected)),
2004+
urlencode(json_encode($newParameterArraySelected)),
20052005
md5($this->_instanceName),
20062006
md5($this->_instanceName)
20072007
);
@@ -2044,14 +2044,14 @@ public function getInnerActionAreaItemPopup($actionTitle, $actionURL, $width, $h
20442044
md5($this->_instanceName),
20452045
$actionURL,
20462046
urlencode($this->_instanceName),
2047-
urlencode(serialize($newParameterArraySelected)),
2047+
urlencode(json_encode($newParameterArraySelected)),
20482048
md5($this->_instanceName),
20492049
md5($this->_instanceName),
20502050
$width,
20512051
$height,
20522052
$actionURL,
20532053
urlencode($this->_instanceName),
2054-
urlencode(serialize($newParameterArrayAll)),
2054+
urlencode(json_encode($newParameterArrayAll)),
20552055
$width,
20562056
$height
20572057
);
@@ -2064,7 +2064,7 @@ public function getInnerActionAreaItemPopup($actionTitle, $actionURL, $width, $h
20642064
md5($this->_instanceName),
20652065
$actionURL,
20662066
urlencode($this->_instanceName),
2067-
urlencode(serialize($newParameterArraySelected)),
2067+
urlencode(json_encode($newParameterArraySelected)),
20682068
md5($this->_instanceName),
20692069
md5($this->_instanceName),
20702070
$width,
@@ -2178,7 +2178,7 @@ public function printNavigation($alphaNavigation = false)
21782178
$ID, $md5InstanceName,
21792179
$ID, $md5InstanceName, //Select Box ID
21802180
urlencode($this->_instanceName), //Instance name for ajax function itself
2181-
urlencode(serialize($newParameterArray)), //New parameter array
2181+
urlencode(json_encode($newParameterArray)), //New parameter array
21822182
$_SESSION['CATS']->getCookie(), //Cookie
21832183
$newParameterArray['maxResults'], //Used to help determine how many rows per page when changing pages
21842184
$this->_currentPage,
@@ -2189,7 +2189,7 @@ public function printNavigation($alphaNavigation = false)
21892189
else
21902190
{
21912191
$requestString = $this->_getUnrelatedRequestString();
2192-
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(serialize($newParameterArray));
2192+
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(json_encode($newParameterArray));
21932193

21942194
echo sprintf(
21952195
'<span style="%s">Page <input id="pageSelection%s%s" style="width: 32px;" value="%s" onkeypress="document.getElementById(\'pageSelectionButton%s%s\').style.display=\'\';"/> of %s&nbsp;<input id="pageSelectionButton%s%s" type="button" class="button" style="display:none;" value="Go" onclick="document.location.href=\'%s?%s&dynamicArgument%s=\' + ((document.getElementById(\'pageSelection%s%s\').value -1 ) * %s);">%s</span>',
@@ -2398,7 +2398,7 @@ private function _makeControlLink($newParameterArray, $className = "", $id = "",
23982398
$style,
23992399
$javascript,
24002400
urlencode($this->_instanceName),
2401-
urlencode(serialize($newParameterArray)),
2401+
urlencode(json_encode($newParameterArray)),
24022402
$_SESSION['CATS']->getCookie(),
24032403
($className != '' ? 'class="'.$className.'"' : ''),
24042404
($id != '' ? 'id="'.$id.'"' : '')
@@ -2407,7 +2407,7 @@ private function _makeControlLink($newParameterArray, $className = "", $id = "",
24072407
else
24082408
{
24092409
$requestString = $this->_getUnrelatedRequestString();
2410-
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(serialize($newParameterArray));
2410+
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(json_encode($newParameterArray));
24112411

24122412
return sprintf(
24132413
'<a href="%s?%s" style="%s%s" onclick="%s" %s %s>',
@@ -2545,15 +2545,15 @@ public function _getApplyFilterFunctionDefinition()
25452545
echo sprintf(
25462546
'populateAjaxPager(\'%s\', \'%s\', \'%s\', document.getElementById(\'filterArea%s\').value);',
25472547
urlencode($this->_instanceName),
2548-
urlencode(serialize($newParameterArray)), //New parameter array
2548+
urlencode(json_encode($newParameterArray)), //New parameter array
25492549
$_SESSION['CATS']->getCookie(), //Cookie
25502550
$md5InstanceName
25512551
);
25522552
}
25532553
else
25542554
{
25552555
$requestString = $this->_getUnrelatedRequestString();
2556-
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(serialize($newParameterArray));
2556+
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(json_encode($newParameterArray));
25572557
echo 'if (typeof(retainFilterVisible) == \'undefined\') {';
25582558

25592559
echo sprintf(
@@ -2572,7 +2572,7 @@ public function _getApplyFilterFunctionDefinition()
25722572
$newParameterArray['filterVisible'] = false;
25732573

25742574
$requestString = $this->_getUnrelatedRequestString();
2575-
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(serialize($newParameterArray));
2575+
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(json_encode($newParameterArray));
25762576

25772577
echo sprintf(
25782578
'document.location.href=\'%s?%s&dynamicArgument%s=\' + urlEncode(document.getElementById(\'filterArea%s\').value);',
@@ -2589,7 +2589,7 @@ public function _getApplyFilterFunctionDefinition()
25892589
$newParameterArray['filter'] = '<dynamic>';
25902590

25912591
$requestString = $this->_getUnrelatedRequestString();
2592-
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(serialize($newParameterArray));
2592+
$requestString .= '&' . urlencode('parameters' . $this->_instanceName) . '=' . urlencode(json_encode($newParameterArray));
25932593

25942594
echo sprintf(
25952595
'document.location.href=\'%s?%s&dynamicArgument%s=\' + urlEncode(document.getElementById(\'filterArea%s\').value);',

upload/.htaccess

+10-1
Original file line numberDiff line numberDiff line change
@@ -1 +1,10 @@
1-
AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi .js
1+
IndexIgnore *
2+
# Disable script execution
3+
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .pl .py .js .jsp .asp .htm .html .$
4+
5+
Options -ExecCGI -Indexes
6+
7+
#grant access only if uploading a word-processing or image format
8+
<FilesMatch "(?i)\.(pdf|docx?|rtf|odt?g?|txt|wpd|jpe?g|png|csv|xlsx?|ppt|msg|heic|tiff?|html?|bmp|wps|xps)$">
9+
Require all granted
10+
</FilesMatch>

0 commit comments

Comments
 (0)