Changeset 3354:a9db771a5a70 for inc

Timestamp:

10/05/16 17:14:00 (9 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

2.10

Children:

3357:9bbeb2691a23, 3358:8c3a4eda8e2b

Message:

Fix CVE-2016-7902: Dotclear <= 2.10.2 (Media Manager) Unrestricted File Upload — Thank's Hongkun Zeng for report

File:

inc/core/class.dc.media.php

-                      r3299
+                      r3354
           $zip = new fileUnzip($f->file);
           $zip->setExcludePattern($this->exclude_pattern);
           $zip->getList(false,'#(^|/)(__MACOSX|\.svn|\.DS_Store|\.directory|Thumbs\.db)(/|$)#');
+          $list = $zip->getList(false,'#(^|/)(__MACOSX|\.svn|\.DS_Store|\.directory|Thumbs\.db)(/|$)#');
           if ($create_dir)
 …
           $zip->unzipAll($target);
           $zip->close();
+          // Clean-up all extracted filenames
+          $clean = function ($name) {
+               $n = text::deaccent($name);
+               $n = preg_replace('/^[.]/u','',$n);
+               return preg_replace('/[^A-Za-z0-9._\-\/]/u','_',$n);
+          };
+          foreach ($list as $zk => $zv) {
+               // Check if extracted file exists
+               $zf = $target.'/'.$zk;
+               if (!$zv['is_dir'] && file_exists($zf)) {
+                    $zt = $clean($zf);
+                    if ($zt != $zf) {
+                         rename($zf,$zt);
+                    }
+               }
+          }
           return dirname($f->relname).'/'.$destination;
+     }

Note: See TracChangeset for help on using the changeset viewer.