Fix remote file overwrite and arbitrary file injection in the file system

williamdes · williamdes · commit d3552efd403e · 2023-12-17T01:52:26.000+01:00
diff --git a/composer.json b/composer.json
@@ -10,7 +10,8 @@
   "require": {
     "php": ">=8.1.0",
     "cakephp/filesystem": "^3.0",
-    "monolog/monolog": "^2.0"
+    "monolog/monolog": "^2.0",
+    "ondrej-vrto/php-filename-sanitize": "^1.4"
   },
   "require-dev": {
     "phpunit/phpunit": "~10.0"
diff --git a/src/Resumable.php b/src/Resumable.php
@@ -8,6 +8,7 @@
 use Dilab\Network\Response;
 use Monolog\Logger;
 use Monolog\Handler\StreamHandler;
+use OndrejVrto\FilenameSanitize\FilenameSanitize;
 
 class Resumable
 {
@@ -159,18 +160,14 @@ public function getExtension()
     }
 
     /**
-     * Makes sure the orginal extension never gets overriden by user defined filename.
+     * Creates a safe name
      *
-     * @param string User defined filename
-     * @param string Original filename
-     * @return string Filename that always has an extension from the original file
+     * @param string $name Original name
+     * @return string A safer name
      */
-    private function createSafeFilename($filename, $originalFilename)
+    private function createSafeName(string $name): string
     {
-        $filename = $this->removeExtension($filename);
-        $extension = $this->findExtension($originalFilename);
-
-        return sprintf('%s.%s', $filename, $extension);
+        return FilenameSanitize::of($name)->get();
     }
 
     public function handleTestChunk()
@@ -227,9 +224,9 @@ private function createFileAndDeleteTmp($identifier, $filename)
 
         // if the user has set a custom filename
         if (null !== $this->filename) {
-            $finalFilename = $this->createSafeFilename($this->filename, $filename);
+            $finalFilename = $this->createSafeName($this->filename);
         } else {
-            $finalFilename = $filename;
+            $finalFilename = $this->createSafeName($filename);
         }
 
         // replace filename reference by the final file
@@ -288,7 +285,7 @@ public function tmpChunkDir($identifier)
         if (!empty($this->instanceId)){
             $tmpChunkDir .= $this->instanceId . DIRECTORY_SEPARATOR;
         }
-        $tmpChunkDir .= $identifier;
+        $tmpChunkDir .= $this->createSafeName($identifier);
         $this->ensureDirExists($tmpChunkDir);
         return $tmpChunkDir;
     }
@@ -318,7 +315,7 @@ private function ensureDirExists($path)
 
     public function tmpChunkFilename($filename, $chunkNumber)
     {
-        return $filename . '.' . str_pad($chunkNumber, 4, 0, STR_PAD_LEFT);
+        return $this->createSafeName($filename) . '.' . str_pad($chunkNumber, 4, 0, STR_PAD_LEFT);
     }
 
     public function getExclusiveFileHandle($name)

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`use Dilab\Network\Response;`
`9`	`9`	`use Monolog\Logger;`
`10`	`10`	`use Monolog\Handler\StreamHandler;`
	`11`	`+use OndrejVrto\FilenameSanitize\FilenameSanitize;`
`11`	`12`
`12`	`13`	`class Resumable`
`13`	`14`	`{`
`@@ -159,18 +160,14 @@ public function getExtension()`
`159`	`160`	`}`
`160`	`161`
`161`	`162`	`/**`
`162`		`- * Makes sure the orginal extension never gets overriden by user defined filename.`
	`163`	`+ * Creates a safe name`
`163`	`164`	`*`
`164`		`- * @param string User defined filename`
`165`		`- * @param string Original filename`
`166`		`- * @return string Filename that always has an extension from the original file`
	`165`	`+ * @param string $name Original name`
	`166`	`+ * @return string A safer name`
`167`	`167`	`*/`
`168`		`- private function createSafeFilename($filename, $originalFilename)`
	`168`	`+ private function createSafeName(string $name): string`
`169`	`169`	`{`
`170`		`- $filename = $this->removeExtension($filename);`
`171`		`- $extension = $this->findExtension($originalFilename);`
`172`		`-`
`173`		`- return sprintf('%s.%s', $filename, $extension);`
	`170`	`+ return FilenameSanitize::of($name)->get();`
`174`	`171`	`}`
`175`	`172`
`176`	`173`	`public function handleTestChunk()`
`@@ -227,9 +224,9 @@ private function createFileAndDeleteTmp($identifier, $filename)`
`227`	`224`
`228`	`225`	`// if the user has set a custom filename`
`229`	`226`	`if (null !== $this->filename) {`
`230`		`- $finalFilename = $this->createSafeFilename($this->filename, $filename);`
	`227`	`+ $finalFilename = $this->createSafeName($this->filename);`
`231`	`228`	`} else {`
`232`		`- $finalFilename = $filename;`
	`229`	`+ $finalFilename = $this->createSafeName($filename);`
`233`	`230`	`}`
`234`	`231`
`235`	`232`	`// replace filename reference by the final file`
`@@ -288,7 +285,7 @@ public function tmpChunkDir($identifier)`
`288`	`285`	`if (!empty($this->instanceId)){`
`289`	`286`	`$tmpChunkDir .= $this->instanceId . DIRECTORY_SEPARATOR;`
`290`	`287`	`}`
`291`		`- $tmpChunkDir .= $identifier;`
	`288`	`+ $tmpChunkDir .= $this->createSafeName($identifier);`
`292`	`289`	`$this->ensureDirExists($tmpChunkDir);`
`293`	`290`	`return $tmpChunkDir;`
`294`	`291`	`}`
`@@ -318,7 +315,7 @@ private function ensureDirExists($path)`
`318`	`315`
`319`	`316`	`public function tmpChunkFilename($filename, $chunkNumber)`
`320`	`317`	`{`
`321`		`- return $filename . '.' . str_pad($chunkNumber, 4, 0, STR_PAD_LEFT);`
	`318`	`+ return $this->createSafeName($filename) . '.' . str_pad($chunkNumber, 4, 0, STR_PAD_LEFT);`
`322`	`319`	`}`
`323`	`320`
`324`	`321`	`public function getExclusiveFileHandle($name)`