block the same set of extensions in http, scalar and file uploads in Storage.

2010-08-11 14:50:19 -07:00 · 2010-08-11 14:50:19 -07:00 · 9f724a7193
commit 9f724a7193
parent 1f99da3315
3 changed files with 109 additions and 20 deletions
--- a/lib/WebGUI/Storage.pm
+++ b/lib/WebGUI/Storage.pm
@ -315,10 +315,7 @@ sub addFileFromFilesystem {
        return undef;
    }
    my $filename = (File::Spec->splitpath( $pathToFile ))[2];
-    if (isIn($self->getFileExtension($filename), qw(pl perl sh cgi php asp pm))) {
-        $filename =~ s/\./\_/g;
-        $filename .= ".txt";
-    }
+    $filename = $self->block_extensions($filename);
    $filename = $self->session->url->makeCompliant($filename);
    my $source;
    my $dest;
@ -383,11 +380,7 @@ sub addFileFromFormPost {
            if ($upload->size > 1024 * $self->session->setting->get("maxAttachmentSize"));
        $clientFilename =~ s/.*[\/\\]//;
        $clientFilename =~ s/^thumb-//;
-        my $type = $self->getFileExtension($clientFilename);
-        if (isIn($type, qw(pl perl sh cgi php asp html htm))) { # make us safe from malicious uploads
-            $clientFilename =~ s/\./\_/g;
-            $clientFilename .= ".txt";
-        }
+        $clientFilename = $self->block_extensions($clientFilename);
        $filename = $session->url->makeCompliant($clientFilename);
        my $filePath = $self->getPath($filename);
        $attachmentCount++;
@ -452,10 +445,7 @@ The content to write to the file.

 sub addFileFromScalar {
 	my ($self, $filename, $content) = @_;
-    if (isIn($self->getFileExtension($filename), qw(pl perl sh cgi php asp html htm))) { # make us safe from malicious uploads
-        $filename =~ s/\./\_/g;
-        $filename .= ".txt";
-    }
+    $filename = $self->block_extensions($filename);
    $filename = $self->session->url->makeCompliant($filename);
 	if (open(my $FILE, ">", $self->getPath($filename))) {
 		print $FILE $content;
@ -501,6 +491,32 @@ sub adjustMaxImageSize {

 #-------------------------------------------------------------------

+=head2 block_extensions ( $file )
+
+Rename files so they can't be used for malicious purposes.  The list of bad extensions
+includs shell script, perl scripts, php, ASP, perl modules and HTML files.
+
+Any file found with a bad extension will be renamed from file.ext to file_ext.txt
+
+=head3 $file
+
+The file to check for bad extensions.
+
+=cut 
+
+sub block_extensions {
+    my $self = shift;
+    my $file = shift;
+    my $extension = $self->getFileExtension($file);
+    if (isIn($extension, qw(pl perl sh cgi php asp pm html htm))) {
+        $file =~ s/\.$extension/\_$extension/;
+        $file .= ".txt";
+    }
+    return $file;
+}
+
+#-------------------------------------------------------------------
+
 =head2 clear ( )

 Clears a storage location of all files.  If configured for CDN, add