Skip to content

Commit 7ecc0c9

Browse files
ywarnierywarnier
committed
Webservice: Add filter on PPT filename for remote PPT2LP converter
1 parent dbab0cc commit 7ecc0c9

File tree

2 files changed

+17
-4
lines changed

2 files changed

+17
-4
lines changed

main/inc/lib/security.lib.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -632,4 +632,14 @@ private static function generateSecTokenVariable(string $prefix = ''): string
632632

633633
return $prefix.'_sec_token';
634634
}
635+
/**
636+
* Sanitize a string, so it can be used in the exec() command without
637+
* "jail-breaking" to execute other commands.
638+
* @param string $param The string to filter
639+
* @return string
640+
*/
641+
public static function sanitizeExecParam(string $param): string
642+
{
643+
return preg_replace('/[`;&|]/', '', $param);
644+
}
635645
}

main/webservices/additional_webservices.php

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -29,10 +29,13 @@ function wsConvertPpt($pptData)
2929
}
3030
}
3131
$fileData = $pptData['file_data'];
32-
$dataInfo = pathinfo($pptData['file_name']);
33-
$fileName = basename($pptData['file_name'], '.'.$dataInfo['extension']);
34-
$fullFileName = $pptData['file_name'];
35-
$size = $pptData['service_ppt2lp_size'];
32+
// Clean filename to avoid hacks. Prevents "&" and ";" to be used in filename, notably
33+
$sanitizedFileName = Security::sanitizeExecParam($pptData['file_name']);
34+
$dataInfo = pathinfo($sanitizedFileName);
35+
$fileName = basename($sanitizedFileName, '.'.$dataInfo['extension']);
36+
// Add additional cleaning of .php and .htaccess files
37+
$fullFileName = Security::filter_filename($sanitizedFileName);
38+
$size = Security::sanitizeExecParam($pptData['service_ppt2lp_size']);
3639
$w = '800';
3740
$h = '600';
3841
if (!empty($size)) {

0 commit comments

Comments
 (0)