Clean $type parameter + clean, check_abs_path removes folder references

jmontoyaa · jmontoyaa · commit eb823e7ff52c · 2021-01-28T14:24:51.000+01:00
#security
diff --git a/main/document/download_uploaded_files.php b/main/document/download_uploaded_files.php
@@ -16,6 +16,8 @@
 if (empty($courseInfo)) {
     $courseInfo = api_get_course_info();
 }
+$type = preg_replace("/[^a-zA-Z]+/", '', $type);
+
 if (empty($courseInfo) || empty($type) || empty($file)) {
     api_not_allowed(true);
 }
diff --git a/main/inc/lib/security.lib.php b/main/inc/lib/security.lib.php
@@ -58,6 +58,8 @@ public static function check_abs_path($abs_path, $checker_path)
             return false;
         }
 
+        // Clean $abs_path.
+        $abs_path = str_replace(['//', '../', './'], ['/', '', ''], $abs_path);
         $true_path = str_replace("\\", '/', realpath($abs_path));
         $checker_path = str_replace("\\", '/', realpath($checker_path));
 

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@`
`16`	`16`	`if (empty($courseInfo)) {`
`17`	`17`	`$courseInfo = api_get_course_info();`
`18`	`18`	`}`
	`19`	`+$type = preg_replace("/[^a-zA-Z]+/", '', $type);`
	`20`	`+`
`19`	`21`	`if (empty($courseInfo) \|\| empty($type) \|\| empty($file)) {`
`20`	`22`	`api_not_allowed(true);`
`21`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,8 @@ public static function check_abs_path($abs_path, $checker_path)`
`58`	`58`	`return false;`
`59`	`59`	`}`
`60`	`60`
	`61`	`+ // Clean $abs_path.`
	`62`	`+ $abs_path = str_replace(['//', '../', './'], ['/', '', ''], $abs_path);`
`61`	`63`	`$true_path = str_replace("\\", '/', realpath($abs_path));`
`62`	`64`	`$checker_path = str_replace("\\", '/', realpath($checker_path));`
`63`	`65`