oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Secure and fix the Zip Archive.

Browse source
This commit is contained in:
Colin Kuskie 2010-08-11 17:38:15 -07:00
parent 13a222f6ce
commit 7251cc2c23
3 changed files with 73 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/changelog/7.x.x.txt
View file

@ -5,6 +5,7 @@
- fixed possible vulnerability loading help files - fixed possible vulnerability loading help files
- fixed possible vulnerability with filenames in storage locations - fixed possible vulnerability with filenames in storage locations
- fixed possible vulnerability with extracting tar files in storage locations - fixed possible vulnerability with extracting tar files in storage locations
- fixed possible vulnerability with extracting files in Zip Archive assets.
7.9.11 7.9.11
- fixed #11755: New cart does not update shipping methods correctly - fixed #11755: New cart does not update shipping methods correctly

32
lib/WebGUI/Asset/File/ZipArchive.pm
View file

@ -74,19 +74,21 @@ sub unzip {
my $dir_guard = Scope::Guard->new(sub { chdir $cwd }); my $dir_guard = Scope::Guard->new(sub { chdir $cwd });
my $i18n = WebGUI::International->new($self->session,"Asset_ZipArchive"); my $i18n = WebGUI::International->new($self->session,"Asset_ZipArchive");
if ($filename =~ m/\.zip/i) { if ($filename =~ m/\.zip$/i) {
my $zip = Archive::Zip->new(); my $zip = Archive::Zip->new();
unless ($zip->read($filename) == $zip->AZ_OK){ unless ($zip->read($filename) == $zip->AZ_OK){
$self->session->errorHandler->warn($i18n->get("zip_error")); $self->session->errorHandler->warn($i18n->get("zip_error"));
return 0; return 0;
} }
$zip->extractTree(); $zip->extractTree();
} elsif ($filename =~ m/\.tar/i) { $self->fixFilenames;
} elsif ($filename =~ m/\.tar$/i) {
Archive::Tar->extract_archive($filepath.'/'.$filename,1); Archive::Tar->extract_archive($filepath.'/'.$filename,1);
if (Archive::Tar->error) { if (Archive::Tar->error) {
$self->session->errorHandler->warn(Archive::Tar->error); $self->session->errorHandler->warn(Archive::Tar->error);
return 0; return 0;
} }
$self->fixFilenames;
} else { } else {
$self->session->errorHandler->warn($i18n->get("bad_archive")); $self->session->errorHandler->warn($i18n->get("bad_archive"));
} }
@ -153,6 +155,28 @@ sub definition {
} }
#-------------------------------------------------------------------
=head2 fixFilenames ( )
Fix any files with dangerous extensions, in all files that were extracted. This is done
locally, because if we used a method from Storage, then it would also rename HTML files.
=cut
sub fixFilenames {
my $self = shift;
my $storage = $self->getStorageLocation;
my $files = $storage->getFiles('all');
FILE: foreach my $file (@{ $files }) {
my $extension = $storage->getFileExtension($file);
next FILE unless isIn($extension, qw/pl perl pm cgi php asp sh/);
my $newFile = $file;
$newFile =~ s/\.$extension/_$extension.txt/;
$storage->renameFile($file, $newFile);
}
}
#------------------------------------------------------------------- #-------------------------------------------------------------------
=head2 prepareView ( ) =head2 prepareView ( )
@ -196,7 +220,7 @@ sub processPropertiesFromFormPost {
return undef; return undef;
} }
unless ($file =~ m/\.tar/i || $file =~ m/\.zip/i) { unless ($file =~ m/\.tar$/i || $file =~ m/\.zip$/i) {
$storage->delete; $storage->delete;
$self->session->db->write("update FileAsset set filename=NULL where assetId=".$self->session->db->quote($self->getId)); $self->session->db->write("update FileAsset set filename=NULL where assetId=".$self->session->db->quote($self->getId));
$self->session->scratch->set("za_error",$i18n->get("za_error")); $self->session->scratch->set("za_error",$i18n->get("za_error"));

44
t/Asset/File/ZipArchive.t Normal file
View file

@ -0,0 +1,44 @@
#-------------------------------------------------------------------
# WebGUI is Copyright 2001-2009 Plain Black Corporation.
#-------------------------------------------------------------------
# Please read the legal notices (docs/legal.txt) and the license
# (docs/license.txt) that came with this distribution before using
# this software.
#-------------------------------------------------------------------
# http://www.plainblack.com info@plainblack.com
#-------------------------------------------------------------------
use FindBin;
use strict;
use lib "$FindBin::Bin/../../lib";
use WebGUI::Storage;
use WebGUI::Asset;
use WebGUI::Asset::File::ZipArchive;
use WebGUI::Test;
use Test::More; # increment this value for each test you create
use Test::Deep;
plan tests => 2;
my $session = WebGUI::Test->session;
my $node = WebGUI::Asset->getImportNode($session);
my $arch = $node->addChild({
className => 'WebGUI::Asset::File::ZipArchive',
});
WebGUI::Test->addToCleanup($arch);
my $storage = $arch->getStorageLocation;
$storage->addFileFromFilesystem(WebGUI::Test->getTestCollateralPath('extensions.tar'));
ok($arch->unzip($storage, 'extensions.tar'), 'unzip returns true when it successfully unpacked');
$arch->fixFilenames();
cmp_bag(
$storage->getFiles,
[ qw{ extensions.tar extension_pm.txt extension_perl.txt extension.html extensions extensions/extension.html }],
'files after fixFilenames, html files left alone'
);