Secure and fix the Zip Archive.
This commit is contained in:
Colin Kuskie
parent
13a222f6ce
commit
7251cc2c23
3 changed files with 73 additions and 4 deletions
|
|
@ -5,6 +5,7 @@
|
|||
- fixed possible vulnerability loading help files
|
||||
- fixed possible vulnerability with filenames in storage locations
|
||||
- fixed possible vulnerability with extracting tar files in storage locations
|
||||
- fixed possible vulnerability with extracting files in Zip Archive assets.
|
||||
|
||||
7.9.11
|
||||
- fixed #11755: New cart does not update shipping methods correctly
|
||||
|
|
|
|||
|
|
@ -74,19 +74,21 @@ sub unzip {
|
|||
my $dir_guard = Scope::Guard->new(sub { chdir $cwd });
|
||||
|
||||
my $i18n = WebGUI::International->new($self->session,"Asset_ZipArchive");
|
||||
if ($filename =~ m/\.zip/i) {
|
||||
if ($filename =~ m/\.zip$/i) {
|
||||
my $zip = Archive::Zip->new();
|
||||
unless ($zip->read($filename) == $zip->AZ_OK){
|
||||
$self->session->errorHandler->warn($i18n->get("zip_error"));
|
||||
return 0;
|
||||
}
|
||||
$zip->extractTree();
|
||||
} elsif ($filename =~ m/\.tar/i) {
|
||||
$zip->extractTree();
|
||||
$self->fixFilenames;
|
||||
} elsif ($filename =~ m/\.tar$/i) {
|
||||
Archive::Tar->extract_archive($filepath.'/'.$filename,1);
|
||||
if (Archive::Tar->error) {
|
||||
$self->session->errorHandler->warn(Archive::Tar->error);
|
||||
return 0;
|
||||
}
|
||||
$self->fixFilenames;
|
||||
} else {
|
||||
$self->session->errorHandler->warn($i18n->get("bad_archive"));
|
||||
}
|
||||
|
|
@ -153,6 +155,28 @@ sub definition {
|
|||
}
|
||||
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 fixFilenames ( )
|
||||
|
||||
Fix any files with dangerous extensions, in all files that were extracted. This is done
|
||||
locally, because if we used a method from Storage, then it would also rename HTML files.
|
||||
|
||||
=cut
|
||||
|
||||
sub fixFilenames {
|
||||
my $self = shift;
|
||||
my $storage = $self->getStorageLocation;
|
||||
my $files = $storage->getFiles('all');
|
||||
FILE: foreach my $file (@{ $files }) {
|
||||
my $extension = $storage->getFileExtension($file);
|
||||
next FILE unless isIn($extension, qw/pl perl pm cgi php asp sh/);
|
||||
my $newFile = $file;
|
||||
$newFile =~ s/\.$extension/_$extension.txt/;
|
||||
$storage->renameFile($file, $newFile);
|
||||
}
|
||||
}
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 prepareView ( )
|
||||
|
|
@ -196,7 +220,7 @@ sub processPropertiesFromFormPost {
|
|||
return undef;
|
||||
}
|
||||
|
||||
unless ($file =~ m/\.tar/i || $file =~ m/\.zip/i) {
|
||||
unless ($file =~ m/\.tar$/i || $file =~ m/\.zip$/i) {
|
||||
$storage->delete;
|
||||
$self->session->db->write("update FileAsset set filename=NULL where assetId=".$self->session->db->quote($self->getId));
|
||||
$self->session->scratch->set("za_error",$i18n->get("za_error"));
|
||||
|
|
|
|||
44
t/Asset/File/ZipArchive.t
Normal file
44
t/Asset/File/ZipArchive.t
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
#-------------------------------------------------------------------
|
||||
# WebGUI is Copyright 2001-2009 Plain Black Corporation.
|
||||
#-------------------------------------------------------------------
|
||||
# Please read the legal notices (docs/legal.txt) and the license
|
||||
# (docs/license.txt) that came with this distribution before using
|
||||
# this software.
|
||||
#-------------------------------------------------------------------
|
||||
# http://www.plainblack.com info@plainblack.com
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
use FindBin;
|
||||
use strict;
|
||||
use lib "$FindBin::Bin/../../lib";
|
||||
|
||||
use WebGUI::Storage;
|
||||
use WebGUI::Asset;
|
||||
use WebGUI::Asset::File::ZipArchive;
|
||||
|
||||
use WebGUI::Test;
|
||||
use Test::More; # increment this value for each test you create
|
||||
use Test::Deep;
|
||||
plan tests => 2;
|
||||
|
||||
my $session = WebGUI::Test->session;
|
||||
|
||||
my $node = WebGUI::Asset->getImportNode($session);
|
||||
|
||||
my $arch = $node->addChild({
|
||||
className => 'WebGUI::Asset::File::ZipArchive',
|
||||
});
|
||||
|
||||
WebGUI::Test->addToCleanup($arch);
|
||||
|
||||
my $storage = $arch->getStorageLocation;
|
||||
$storage->addFileFromFilesystem(WebGUI::Test->getTestCollateralPath('extensions.tar'));
|
||||
ok($arch->unzip($storage, 'extensions.tar'), 'unzip returns true when it successfully unpacked');
|
||||
|
||||
$arch->fixFilenames();
|
||||
|
||||
cmp_bag(
|
||||
$storage->getFiles,
|
||||
[ qw{ extensions.tar extension_pm.txt extension_perl.txt extension.html extensions extensions/extension.html }],
|
||||
'files after fixFilenames, html files left alone'
|
||||
);
|
||||
Loading…
Add table
Add a link
Reference in a new issue