Merge branch 'master' into WebGUI8. Merged up to 7.9.12

2010-08-13 12:25:19 -07:00 · 2010-08-13 12:25:19 -07:00 · 3e8e2d452c
commit 3e8e2d452c
parent 7b218942b3 b2924bdb7b
27 changed files with 333 additions and 77 deletions
--- a/lib/WebGUI/Storage.pm
+++ b/lib/WebGUI/Storage.pm
@ -316,10 +316,7 @@ sub addFileFromFilesystem {
        return undef;
    }
    my $filename = (File::Spec->splitpath( $pathToFile ))[2];
-    if (isIn($self->getFileExtension($filename), qw(pl perl sh cgi php asp pm))) {
-        $filename =~ s/\./\_/g;
-        $filename .= ".txt";
-    }
+    $filename = $self->block_extensions($filename);
    $filename = $self->session->url->makeCompliant($filename);
    my $source;
    my $dest;
@ -382,11 +379,7 @@ sub addFileFromFormPost {
            if ($upload->size > 1024 * $self->session->setting->get("maxAttachmentSize"));
        $clientFilename =~ s/.*[\/\\]//;
        $clientFilename =~ s/^thumb-//;
-        my $type = $self->getFileExtension($clientFilename);
-        if (isIn($type, qw(pl perl sh cgi php asp html htm))) { # make us safe from malicious uploads
-            $clientFilename =~ s/\./\_/g;
-            $clientFilename .= ".txt";
-        }
+        $clientFilename = $self->block_extensions($clientFilename);
        $filename = $session->url->makeCompliant($clientFilename);
        my $filePath = $self->getPath($filename);
        $attachmentCount++;
@ -451,10 +444,7 @@ The content to write to the file.

 sub addFileFromScalar {
 	my ($self, $filename, $content) = @_;
-    if (isIn($self->getFileExtension($filename), qw(pl perl sh cgi php asp html htm))) { # make us safe from malicious uploads
-        $filename =~ s/\./\_/g;
-        $filename .= ".txt";
-    }
+    $filename = $self->block_extensions($filename);
    $filename = $self->session->url->makeCompliant($filename);
 	if (open(my $FILE, ">", $self->getPath($filename))) {
 		print $FILE $content;
@ -500,6 +490,32 @@ sub adjustMaxImageSize {

 #-------------------------------------------------------------------

+=head2 block_extensions ( $file )
+
+Rename files so they can't be used for malicious purposes.  The list of bad extensions
+includs shell script, perl scripts, php, ASP, perl modules and HTML files.
+
+Any file found with a bad extension will be renamed from file.ext to file_ext.txt
+
+=head3 $file
+
+The file to check for bad extensions.
+
+=cut 
+
+sub block_extensions {
+    my $self = shift;
+    my $file = shift;
+    my $extension = $self->getFileExtension($file);
+    if (isIn($extension, qw(pl perl sh cgi php asp pm html htm))) {
+        $file =~ s/\.$extension/\_$extension/;
+        $file .= ".txt";
+    }
+    return $file;
+}
+
+#-------------------------------------------------------------------
+
 =head2 clear ( )

 Clears a storage location of all files.  If configured for CDN, add
@ -1827,6 +1843,13 @@ sub untar {
    }, ".");
    $self->_changeOwner(@files);

+    ##Prevent dangerous files from being added to the storage location via untar
+    FILE: foreach my $file (@files) {
+        my $blockname = $temp->block_extensions($file);
+        next FILE if $blockname eq $file;
+        $temp->renameFile($file, $blockname);
+    }
+
    chdir $originalDir;
    return $temp;
 }