* [FIX] Critical Fix. Local file inclusion through URL. Thanks to Artem for the notice

2026-03-14 04:16:54 +01:00 · 2017-04-29 12:13:22 +02:00
parent 620a78da5f
commit 16e024f55b
4 changed files with 56 additions and 50 deletions
--- a/inc/SP/Http/Request.class.php
+++ b/inc/SP/Http/Request.class.php
@@ -35,6 +35,8 @@ use SP\Html\Html;
 */
 class Request
 {
+    private static $secureDirs = ['css', 'js'];
+
    /**
     * Comprobar el método utilizado para enviar un formulario.
     *
@@ -55,6 +57,48 @@ class Request
        }
    }

+    /**
+     * Devolver las cabeceras enviadas desde el cliente.
+     *
+     * @param string $header nombre de la cabecera a devolver
+     * @return array|string
+     */
+    public static function getRequestHeaders($header = '')
+    {
+        if (!empty($header)) {
+            $header = strpos($header, 'HTTP_') === false ? 'HTTP_' . str_replace('-', '_', strtoupper($header)) : $header;
+
+            return isset($_SERVER[$header]) ? $_SERVER[$header] : '';
+        }
+
+        return self::getApacheHeaders();
+    }
+
+    /**
+     * Función que sustituye a apache_request_headers
+     *
+     * @return array
+     */
+    private static function getApacheHeaders()
+    {
+        if (function_exists('\apache_request_headers')) {
+            return apache_request_headers();
+        }
+
+        $headers = [];
+
+        foreach ($_SERVER as $key => $value) {
+            if (strpos($key, 'HTTP_') === 0) {
+                $key = ucwords(strtolower(str_replace('_', '-', substr($key, 5))), '-');
+                $headers[$key] = $value;
+            } else {
+                $headers[$key] = $value;
+            }
+        }
+
+        return $headers;
+    }
+
    /**
     * Analizar un valor encriptado y devolverlo desencriptado
     *
@@ -142,48 +186,6 @@ class Request
        return (self::getRequestHeaders('Cache-Control') === 'max-age=0');
    }

-    /**
-     * Devolver las cabeceras enviadas desde el cliente.
-     *
-     * @param string $header nombre de la cabecera a devolver
-     * @return array|string
-     */
-    public static function getRequestHeaders($header = '')
-    {
-        if (!empty($header)) {
-            $header = strpos($header, 'HTTP_') === false ? 'HTTP_' . str_replace('-', '_', strtoupper($header)) : $header;
-
-            return isset($_SERVER[$header]) ? $_SERVER[$header] : '';
-        }
-
-        return self::getApacheHeaders();
-    }
-
-    /**
-     * Función que sustituye a apache_request_headers
-     *
-     * @return array
-     */
-    private static function getApacheHeaders()
-    {
-        if (function_exists('\apache_request_headers')) {
-            return apache_request_headers();
-        }
-
-        $headers = [];
-
-        foreach ($_SERVER as $key => $value) {
-            if (strpos($key, 'HTTP_') === 0) {
-                $key = ucwords(strtolower(str_replace('_', '-', substr($key, 5))), '-');
-                $headers[$key] = $value;
-            } else {
-                $headers[$key] = $value;
-            }
-        }
-
-        return $headers;
-    }
-
    /**
     * Comprobar si existen parámetros pasados por POST para enviarlos por GET
     */
@@ -218,22 +220,26 @@ class Request
    /**
     * Devolver una ruta segura para
     *
-     * @param      $path
-     * @param null $base
+     * @param        $path
+     * @param string $base
     * @return string
     */
    public static function getSecureAppPath($path, $base = null)
    {
        if ($base === null) {
            $base = Init::$SERVERROOT;
+        } elseif (!in_array(basename($base), self::$secureDirs, true)) {
+            return '';
        }

        $realPath = realpath($base . DIRECTORY_SEPARATOR . $path);

-        if ($realPath === false || strpos($realPath, $base) !== 0) {
+        if ($realPath === false
+            || strpos($realPath, $base) !== 0
+        ) {
            return '';
-        } else {
-            return $realPath;
        }
+
+        return $realPath;
    }
 }
--- a/inc/SP/Util/Util.class.php
+++ b/inc/SP/Util/Util.class.php
@@ -407,7 +407,7 @@ class Util
     */
    public static function getVersion($retBuild = false, $normalized = false)
    {
-        $build = 17042501;
+        $build = 17042901;
        $version = [2, 1, 8];

        if ($normalized === true) {
--- a/js/app-main.min.js
+++ b/js/app-main.min.js
@@ -1,4 +1,4 @@
-var $jscomp={scope:{}};$jscomp.defineProperty="function"==typeof Object.defineProperties?Object.defineProperty:function(b,f,g){if(g.get||g.set)throw new TypeError("ES3 does not support getters and setters.");b!=Array.prototype&&b!=Object.prototype&&(b[f]=g.value)};$jscomp.getGlobal=function(b){return"undefined"!=typeof window&&window===b?b:"undefined"!=typeof global&&null!=global?global:b};$jscomp.global=$jscomp.getGlobal(this);$jscomp.SYMBOL_PREFIX="jscomp_symbol_";
+var $jscomp={scope:{}};$jscomp.defineProperty="function"==typeof Object.defineProperties?Object.defineProperty:function(b,f,g){if(g.get||g.set)throw new TypeError("ES3 does not support getters and setters.");b!=Array.prototype&&b!=Object.prototype&&(b[f]=g.value)};$jscomp.getGlobal=function(b){return"undefined"!=typeof window&&window===b?b:"undefined"!=typeof global?global:b};$jscomp.global=$jscomp.getGlobal(this);$jscomp.SYMBOL_PREFIX="jscomp_symbol_";
 $jscomp.initSymbol=function(){$jscomp.initSymbol=function(){};$jscomp.global.Symbol||($jscomp.global.Symbol=$jscomp.Symbol)};$jscomp.symbolCounter_=0;$jscomp.Symbol=function(b){return $jscomp.SYMBOL_PREFIX+(b||"")+$jscomp.symbolCounter_++};
 $jscomp.initSymbolIterator=function(){$jscomp.initSymbol();var b=$jscomp.global.Symbol.iterator;b||(b=$jscomp.global.Symbol.iterator=$jscomp.global.Symbol("iterator"));"function"!=typeof Array.prototype[b]&&$jscomp.defineProperty(Array.prototype,b,{configurable:!0,writable:!0,value:function(){return $jscomp.arrayIterator(this)}});$jscomp.initSymbolIterator=function(){}};$jscomp.arrayIterator=function(b){var f=0;return $jscomp.iteratorPrototype(function(){return f<b.length?{done:!1,value:b[f++]}:{done:!0}})};
 $jscomp.iteratorPrototype=function(b){$jscomp.initSymbolIterator();b={next:b};b[$jscomp.global.Symbol.iterator]=function(){return this};return b};$jscomp.array=$jscomp.array||{};$jscomp.iteratorFromArray=function(b,f){$jscomp.initSymbolIterator();b instanceof String&&(b+="");var g=0,c={next:function(){if(g<b.length){var l=g++;return{value:f(l,b[l]),done:!1}}c.next=function(){return{done:!0,value:void 0}};return c.next()}};c[Symbol.iterator]=function(){return c};return c};
--- a/js/app-triggers.min.js
+++ b/js/app-triggers.min.js
@@ -1,5 +1,5 @@
 var $jscomp={scope:{},findInternal:function(b,d,e){b instanceof String&&(b=String(b));for(var a=b.length,c=0;c<a;c++){var f=b[c];if(d.call(e,f,c,b))return{i:c,v:f}}return{i:-1,v:void 0}}};$jscomp.defineProperty="function"==typeof Object.defineProperties?Object.defineProperty:function(b,d,e){if(e.get||e.set)throw new TypeError("ES3 does not support getters and setters.");b!=Array.prototype&&b!=Object.prototype&&(b[d]=e.value)};
-$jscomp.getGlobal=function(b){return"undefined"!=typeof window&&window===b?b:"undefined"!=typeof global&&null!=global?global:b};$jscomp.global=$jscomp.getGlobal(this);$jscomp.polyfill=function(b,d,e,a){if(d){e=$jscomp.global;b=b.split(".");for(a=0;a<b.length-1;a++){var c=b[a];c in e||(e[c]={});e=e[c]}b=b[b.length-1];a=e[b];d=d(a);d!=a&&null!=d&&$jscomp.defineProperty(e,b,{configurable:!0,writable:!0,value:d})}};
+$jscomp.getGlobal=function(b){return"undefined"!=typeof window&&window===b?b:"undefined"!=typeof global?global:b};$jscomp.global=$jscomp.getGlobal(this);$jscomp.polyfill=function(b,d,e,a){if(d){e=$jscomp.global;b=b.split(".");for(a=0;a<b.length-1;a++){var c=b[a];c in e||(e[c]={});e=e[c]}b=b[b.length-1];a=e[b];d=d(a);d!=a&&null!=d&&$jscomp.defineProperty(e,b,{configurable:!0,writable:!0,value:d})}};
 $jscomp.polyfill("Array.prototype.find",function(b){return b?b:function(b,e){return $jscomp.findInternal(this,b,e).v}},"es6-impl","es3");
 sysPass.Triggers=function(b){var d=b.log,e=function(a){var c={valueField:"id",labelField:"name",searchField:["name"]};a.find(".select-box").each(function(a){var d=$(this);c.plugins=d.hasClass("select-box-deselect")?{clear_selection:{title:b.config().LANG[51]}}:{};if(d.data("onchange")){var f=d.data("onchange").split("/");c.onChange=function(a){if(0<a)if(2===f.length)sysPassApp.actions()[f[0]][f[1]](d);else sysPassApp.actions()[f[0]](d)}}d.selectize(c)});a.find("#allowed_exts").selectize({create:function(a){return{value:a.toUpperCase(),
 text:a.toUpperCase()}},createFilter:/^[a-z0-9]{1,4}$/i,plugins:["remove_button"]});a.find("#wikifilter").selectize({create:!0,createFilter:/^[a-z0-9:._-]+$/i,plugins:["remove_button"]})};return{views:{main:function(){d.info("views:main");clipboard.isSupported()||b.msg.info(b.config().LANG[65]);$(".btn-menu").click(function(){var a=$(this);"1"===a.attr("data-history-reset")&&b.appRequests().history.reset();b.appActions().doAction({actionId:a.data("action-id")},a.data("view"))});$("#btnLogout").click(function(a){b.appActions().main.logout()});