Menu
▾
▴
[phpwiki-checkins] SF.net SVN: phpwiki:[9729] trunk
|
From: <var...@us...> - 2015-09-22 15:27:09
|
Revision: 9729
http://sourceforge.net/p/phpwiki/code/9729
Author: vargenau
Date: 2015-09-22 15:27:07 +0000 (Tue, 22 Sep 2015)
Log Message:
-----------
New property: ALLOWED_LOAD giving list of directories from which it is allowed to load pages.
Modified Paths:
--------------
trunk/config/config-default.ini
trunk/config/config-dist.ini
trunk/configurator.php
trunk/g
trunk/lib/loadsave.php
Modified: trunk/config/config-default.ini
===================================================================
--- trunk/config/config-default.ini 2015-09-22 13:32:45 UTC (rev 9728)
+++ trunk/config/config-default.ini 2015-09-22 15:27:07 UTC (rev 9729)
@@ -160,6 +160,7 @@
; VIRTUAL_PATH =
; USE_PATH_INFO =
; TEMP_DIR = /tmp
+; ALLOWED_LOAD = /tmp
DISABLE_HTTP_REDIRECT = false
DISABLE_GETIMAGESIZE = false
Modified: trunk/config/config-dist.ini
===================================================================
--- trunk/config/config-dist.ini 2015-09-22 13:32:45 UTC (rev 9728)
+++ trunk/config/config-dist.ini 2015-09-22 15:27:07 UTC (rev 9729)
@@ -1106,6 +1106,11 @@
; better provide it here. E.g. needed for zipdumps.
;TEMP_DIR = /tmp
+; List of directories from which it is allowed to load pages
+; Directories are separated with ":"
+; It is always allowed to load from pgsrc directories
+;ALLOWED_LOAD = /tmp
+
;===========================================================================
; Part Seven: Miscellaneous settings
;===========================================================================
Modified: trunk/configurator.php
===================================================================
--- trunk/configurator.php 2015-09-22 13:32:45 UTC (rev 9728)
+++ trunk/configurator.php 2015-09-22 15:27:07 UTC (rev 9729)
@@ -1487,6 +1487,10 @@
$properties["TEMP_DIR"] =
new _define_optional('TEMP_DIR', $temp);
+$properties["Allowed Load"] =
+ new _define_commented_optional('ALLOWED_LOAD', '/tmp',
+ 'List of directories from which it is allowed to load pages. Directories are separated with ":"');
+
///////////////////
$properties["Part Seven"] =
Modified: trunk/g
===================================================================
--- trunk/g 2015-09-22 13:32:45 UTC (rev 9728)
+++ trunk/g 2015-09-22 15:27:07 UTC (rev 9729)
@@ -150,6 +150,9 @@
// Do not use a directory per user but only one (per project)
define('UPLOAD_USERDIR', false);
+ // Allow Load File only from /tmp
+ define('ALLOWED_LOAD', '/tmp');
+
// Use black list of extensions instead of white list
define('DISABLE_UPLOAD_ONLY_ALLOWED_EXTENSIONS', true);
Modified: trunk/lib/loadsave.php
===================================================================
--- trunk/lib/loadsave.php 2015-09-22 13:32:45 UTC (rev 9728)
+++ trunk/lib/loadsave.php 2015-09-22 15:27:07 UTC (rev 9729)
@@ -1447,8 +1447,29 @@
function LoadFileOrDir(&$request)
{
$source = $request->getArg('source');
- $finder = new FileFinder;
+ $finder = new FileFinder();
$source = $finder->slashifyPath($source);
+ if (!(defined('ALLOWED_LOAD'))) {
+ define('ALLOWED_LOAD', '/tmp');
+ }
+ $allowed_dirs = explode(':', ALLOWED_LOAD);
+ if ($source[0] == '/') { // Absolute path
+ $allowed = false;
+ foreach ($allowed_dirs as $path) {
+ if (string_starts_with($source, $path)) {
+ $allowed = true;
+ }
+ }
+ if (!$allowed) {
+ $html = HTML::p(array('class' => 'error'),
+ _("Fatal PhpWiki Error")._(': ')
+ .sprintf(_("Not in allowed list. Unable to load: %s"), $source));
+ GeneratePage($html, $request->_deducePagename());
+ flush();
+ return;
+ }
+ }
+
StartLoadDump($request, sprintf(_("Loading “%s”"), $source));
LoadAny($request, $source);
EndLoadDump($request);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
