Skip to content
Snippets Groups Projects
Commit 7db8d354 authored by Patrick Barroca's avatar Patrick Barroca :grin:
Browse files

Merge branch 'hotline#32112_faille_secu_explorateur_fichiers' into 'stable' 

Hotline#32112 faille secu explorateur fichiers

See merge request !1212
parents 9f635ac6 193862f0
Branches
Tags
3 merge requests!1267Master,!1221Master,!1220Hotline master
Hide whitespace changes
Inline Side-by-side
Showing
with 218 additions and 100 deletions
VERSIONS_HOTLINE/32112 0 → 100644
+ 1
0
View file @ 7db8d354
- ticket #32112 : Connection de l'explorateur de fichiers avec l'authentification Bokeh
\ No newline at end of file
ckeditor/core_five_filemanager/connectors/php/filemanager.config.php
+ 11
3
View file @ 7db8d354
...@@ -19,9 +19,17 @@ ...@@ -19,9 +19,17 @@
* @return boolean true is access granted, false if no access * @return boolean true is access granted, false if no access
*/ */
function auth() { function auth() {
// You can insert your own code over here to check if the user is authorized. $base_path = __DIR__ . '/../../../../'; // :)
// If you use a session variable, you've got to start the session first (session_start()) require_once($base_path . 'cosmogramme/php/classes/classe_cosmopaths.php');
return true;
$cosmo_path = new CosmoPaths('ckeditor');
define('BASE_URL', $cosmo_path->getBaseUrl());
define('USERFILESPATH', $cosmo_path->getUserfilesPath());
require_once($base_path . 'cosmogramme/storm_init.php');
setupSession();
return (new Class_FileManager())->isAuthorized($_GET['path']);
} }
......
ckeditor/core_five_filemanager/connectors/php/filemanager.php
+ 3
31
View file @ 7db8d354
...@@ -18,27 +18,6 @@ header('Content-type: application/json'); ...@@ -18,27 +18,6 @@ header('Content-type: application/json');
*/ */
/**
* Fast fix for afi-opac context
* @author Patrick Barroca
* @param string $path
*/
function opacTraversalProtect ($path) {
$path = (string)$path;
$parts = explode('/', $path);
array_shift($parts);
if (2 > count($parts)) {
exit();
}
if ('userfiles' != $parts[1]) {
exit();
}
if (in_array('..', $parts)) {
exit();
}
}
require_once('./inc/filemanager.inc.php'); require_once('./inc/filemanager.inc.php');
require_once('filemanager.config.php'); require_once('filemanager.config.php');
require_once('filemanager.class.php'); require_once('filemanager.class.php');
...@@ -64,21 +43,18 @@ if(!isset($_GET)) { ...@@ -64,21 +43,18 @@ if(!isset($_GET)) {
} else { } else {
if(isset($_GET['mode']) && $_GET['mode']!='') { if(isset($_GET['mode']) && $_GET['mode']!='') {
switch($_GET['mode']) { switch($_GET['mode']) {
default: default:
opacTraversalProtect($_GET['path']);
$fm->error($fm->lang('MODE_ERROR')); $fm->error($fm->lang('MODE_ERROR'));
break; break;
case 'getinfo': case 'getinfo':
opacTraversalProtect($_GET['path']);
if($fm->getvar('path')) { if($fm->getvar('path')) {
$response = $fm->getinfo(); $response = $fm->getinfo();
} }
break; break;
case 'getfolder': case 'getfolder':
opacTraversalProtect($_GET['path']);
if($fm->getvar('path')) { if($fm->getvar('path')) {
$response = $fm->getfolder(); $response = $fm->getfolder();
} }
...@@ -92,21 +68,18 @@ if(!isset($_GET)) { ...@@ -92,21 +68,18 @@ if(!isset($_GET)) {
break; break;
case 'delete': case 'delete':
opacTraversalProtect($_GET['path']);
if($fm->getvar('path')) { if($fm->getvar('path')) {
$response = $fm->delete(); $response = $fm->delete();
} }
break; break;
case 'addfolder': case 'addfolder':
opacTraversalProtect($_GET['path']);
if($fm->getvar('path') && $fm->getvar('name')) { if($fm->getvar('path') && $fm->getvar('name')) {
$response = $fm->addfolder(); $response = $fm->addfolder();
} }
break; break;
case 'download': case 'download':
opacTraversalProtect($_GET['path']);
if($fm->getvar('path')) { if($fm->getvar('path')) {
$fm->download(); $fm->download();
} }
...@@ -121,15 +94,14 @@ if(!isset($_GET)) { ...@@ -121,15 +94,14 @@ if(!isset($_GET)) {
} else if(isset($_POST['mode']) && $_POST['mode']!='') { } else if(isset($_POST['mode']) && $_POST['mode']!='') {
switch($_POST['mode']) { switch($_POST['mode']) {
default: default:
$fm->error($fm->lang('MODE_ERROR')); $fm->error($fm->lang('MODE_ERROR'));
break; break;
case 'add': case 'add':
if($fm->postvar('currentpath')) { if($fm->postvar('currentpath')) {
opacTraversalProtect($_POST['currentpath']);
$response = $fm->add(); $response = $fm->add();
} }
break; break;
......
cosmogramme/php/classes/classe_cosmopaths.php
+ 63
57
View file @ 7db8d354
...@@ -20,88 +20,94 @@ ...@@ -20,88 +20,94 @@
*/ */
class CosmoPaths { class CosmoPaths {
const COSMO_DIR_NAME = 'cosmogramme'; protected
$_root_dir_name,
$_filesystem;
protected $_filesystem;
public function getBasePath() { public function __construct($root_dir_name = 'cosmogramme') {
$parts = array_filter(explode('/', $this->getFilePath())); $this->_root_dir_name = $root_dir_name;
while ((count($parts)>0) && (end($parts) !== self::COSMO_DIR_NAME)) }
array_pop($parts);
array_pop($parts);
return ($this->isWindowsPath() ? '' : '/') . implode('/', $parts) . '/';
}
public function isWindowsPath() { public function getBasePath() {
return strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'; $parts = array_filter(explode('/', $this->getFilePath()));
} while ((count($parts)>0) && (end($parts) !== $this->_root_dir_name))
array_pop($parts);
array_pop($parts);
return ($this->isWindowsPath() ? '' : '/') . implode('/', $parts) . '/';
}
public function setFileSystem($filesystem) { public function isWindowsPath() {
$this->_filesystem = $filesystem; return strtoupper(substr(PHP_OS, 0, 3)) === 'WIN';
} }
public function getFilesystem() { public function setFileSystem($filesystem) {
require_once(realpath(dirname(__FILE__)).'/../../../library/Class/Testing/FileSystem.php'); $this->_filesystem = $filesystem;
return null == $this->_filesystem }
? new Class_Testing_FileSystem()
: $this->_filesystem;
}
public function getConfigPath() { public function getFilesystem() {
return $this->getBasePath() . self::COSMO_DIR_NAME . '/config.php'; require_once(realpath(dirname(__FILE__)).'/../../../library/Class/Testing/FileSystem.php');
} return null == $this->_filesystem
? new Class_Testing_FileSystem()
: $this->_filesystem;
}
public function getBokehConfigPath() { public function getConfigPath() {
return $this->getBasePath() . 'config.ini'; return $this->getBasePath() . $this->_root_dir_name . '/config.php';
} }
public function getBaseUrl() { public function getBokehConfigPath() {
if (!isset($_SERVER['SCRIPT_NAME'])) return $this->getBasePath() . 'config.ini';
return '/' . $this->getSite() . '/'; }
$parts = array_filter(explode('/', $_SERVER['SCRIPT_NAME']));
while ((count($parts)>0) && (end($parts) !== self::COSMO_DIR_NAME))
array_pop($parts);
array_pop($parts);
return $parts
? '/' . implode('/', $parts) . '/'
: '/';
}
public function getBaseUrl() {
if (!isset($_SERVER['SCRIPT_NAME']))
return '/' . $this->getSite();
public function getCosmoBaseUrl() { $parts = array_filter(explode('/', $_SERVER['SCRIPT_NAME']));
return $this->getBaseUrl() . self::COSMO_DIR_NAME . '/'; while ((count($parts)>0) && (end($parts) !== $this->_root_dir_name))
} array_pop($parts);
array_pop($parts);
return $parts
? '/' . implode('/', $parts)
: '';
}
public function getUserfilesPath() { public function getCosmoBaseUrl() {
return $this->getBasePath() . 'userfiles'; return $this->getBaseUrl() . '/' . $this->_root_dir_name . '/';
} }
public function getSite() { public function getUserfilesPath() {
$parts = array_filter(explode('/', $this->getBasePath())); return $this->getBasePath() . 'userfiles';
return array_pop($parts); }
}
protected function getFilePath() { public function getSite() {
if (isset($_SERVER['SCRIPT_FILENAME']) $parts = array_filter(explode('/', $this->getBasePath()));
&& false !== strpos($_SERVER['SCRIPT_FILENAME'], self::COSMO_DIR_NAME)) return array_pop($parts);
return $_SERVER['SCRIPT_FILENAME']; }
$current_path = $this->getFileSystem()->getcwd();
if (false !== strpos($current_path, self::COSMO_DIR_NAME))
return $current_path;
return realpath(dirname(__FILE__)); protected function getFilePath() {
} if (isset($_SERVER['SCRIPT_FILENAME'])
&& false !== strpos($_SERVER['SCRIPT_FILENAME'], $this->_root_dir_name))
return $_SERVER['SCRIPT_FILENAME'];
$current_path = $this->getFileSystem()->getcwd();
if (false !== strpos($current_path, $this->_root_dir_name))
return $current_path;
return realpath(dirname(__FILE__));
}
} }
?> ?>
\ No newline at end of file
cosmogramme/tests/php/classes/CosmoPathsTest.php
+ 9
3
View file @ 7db8d354
...@@ -42,7 +42,7 @@ abstract class CosmoPathsTestCase extends PHPUnit_Framework_TestCase { ...@@ -42,7 +42,7 @@ abstract class CosmoPathsTestCase extends PHPUnit_Framework_TestCase {
/** @test */ /** @test */
public function baseUrlShouldBeBokehDotFr() { public function baseUrlShouldBeBokehDotFr() {
$this->assertEquals('/bokeh.fr/', $this->_cosmo_paths->getBaseUrl()); $this->assertEquals('/bokeh.fr', $this->_cosmo_paths->getBaseUrl());
} }
...@@ -113,7 +113,13 @@ class CosmoPathsFromHttpRequestInASubdirTest extends PHPUnit_Framework_TestCase ...@@ -113,7 +113,13 @@ class CosmoPathsFromHttpRequestInASubdirTest extends PHPUnit_Framework_TestCase
/** @test */ /** @test */
public function baseUrlShouldBeProjectsBokeh() { public function baseUrlShouldBeProjectsBokeh() {
$this->assertEquals('/projects/bokeh/', $this->_cosmo_paths->getBaseUrl()); $this->assertEquals('/projects/bokeh', $this->_cosmo_paths->getBaseUrl());
}
/** @test */
public function cosmogrammeBaseUrlShouldBeProjectsBokehCosmogramme() {
$this->assertEquals('/projects/bokeh/cosmogramme/', $this->_cosmo_paths->getCosmoBaseUrl());
} }
...@@ -171,7 +177,7 @@ class CosmoPathsFromHttpRequestAtRootTest extends PHPUnit_Framework_TestCase { ...@@ -171,7 +177,7 @@ class CosmoPathsFromHttpRequestAtRootTest extends PHPUnit_Framework_TestCase {
/** @test */ /** @test */
public function baseUrlShouldBeEmpty() { public function baseUrlShouldBeEmpty() {
$this->assertEquals('/', $this->_cosmo_paths->getBaseUrl()); $this->assertEquals('', $this->_cosmo_paths->getBaseUrl());
} }
......
includes.php
+ 2
1
View file @ 7db8d354
...@@ -19,7 +19,8 @@ ...@@ -19,7 +19,8 @@
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/ */
$base_path = realpath(dirname(__FILE__)); $base_path = realpath(dirname(__FILE__));
set_include_path($base_path . '/library' . PATH_SEPARATOR . set_include_path($base_path . PATH_SEPARATOR .
$base_path . '/library' . PATH_SEPARATOR .
$base_path . '/library/storm/src' . PATH_SEPARATOR . $base_path . '/library/storm/src' . PATH_SEPARATOR .
$base_path . '/library/storm/zf/library' . PATH_SEPARATOR . $base_path . '/library/storm/zf/library' . PATH_SEPARATOR .
get_include_path()); get_include_path());
......
library/Class/FileManager.php 0 → 100644
+ 31
0
View file @ 7db8d354
<?php
/**
* Copyright (c) 2012, Agence Française Informatique (AFI). All rights reserved.
*
* BOKEH is free software; you can redistribute it and/or modify
* it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE as published by
* the Free Software Foundation.
*
* There are special exceptions to the terms and conditions of the AGPL as it
* is applied to this software (see README file).
*
* BOKEH is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU AFFERO GENERAL PUBLIC LICENSE
* along with BOKEH; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
class Class_FileManager {
public function isAuthorized($path) {
return Class_Users::isCurrentUserCanAccesBackend()
&& false !== strpos($path, USERFILESURL)
&& false === strpos($path, '..');
}
}
?>
\ No newline at end of file
library/startup.php
+ 2
2
View file @ 7db8d354
...@@ -38,7 +38,7 @@ function setupOpac() { ...@@ -38,7 +38,7 @@ function setupOpac() {
require_once('requires.php'); require_once('requires.php');
$cfg = loadConfig(); $cfg = loadConfig();
setupSession($cfg); setupSession();
setupDatabase($cfg); setupDatabase($cfg);
Class_AdminVar::findAll(); Class_AdminVar::findAll();
setupLanguage(); setupLanguage();
...@@ -166,7 +166,7 @@ function setupCache($cfg) { ...@@ -166,7 +166,7 @@ function setupCache($cfg) {
} }
function setupSession($cfg) { function setupSession() {
// Start Session // Start Session
$session = new Zend_Session_Namespace(md5(BASE_URL)); $session = new Zend_Session_Namespace(md5(BASE_URL));
if (!isset($session->initialized)) if (!isset($session->initialized))
......
tests/library/Class/FileManagerTest.php 0 → 100644
+ 96
0
View file @ 7db8d354
<?php
/**
* Copyright (c) 2012, Agence Française Informatique (AFI). All rights reserved.
*
* BOKEH is free software; you can redistribute it and/or modify
* it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE as published by
* the Free Software Foundation.
*
* There are special exceptions to the terms and conditions of the AGPL as it
* is applied to this software (see README file).
*
* BOKEH is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU AFFERO GENERAL PUBLIC LICENSE
* along with BOKEH; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
class FileManagerTest extends ModelTestCase {
protected
$_filemanager,
$_admin;
public function setUp() {
parent::setUp();
$this->_filemanager = new Class_FileManager();
$this->_admin = $this->fixture('Class_Users',
['id' => 2,
'login' => 'admin',
'password' => 'admin']);
$this->_admin->beModoBib()->save();
$this->_guest = $this->fixture('Class_Users',
['id' => 3,
'login' => 'guest',
'password' => 'guest']);
$this->_guest->beInvite()->save();
}
/** @test */
public function withoutAuthenticationUserfilesShouldNotBeAuthorized() {
$this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . 'images/bokeh.png'));
}
/** @test */
public function asModoBibUserfilesShouldBeAuthorized() {
ZendAfi_Auth::getInstance()->logUser($this->_admin);
$this->assertTrue($this->_filemanager->isAuthorized(USERFILESURL . 'images/bokeh.png'));
}
/** @test */
public function asGuestUserfilesShouldNotBeAuthorized() {
ZendAfi_Auth::getInstance()->logUser($this->_guest);
$this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . 'images/bokeh.png'));
}
}
class FileManagerAsAdminTest extends ModelTestCase {
protected $_filemanager;
public function setUp() {
parent::setUp();
$this->_filemanager = new Class_FileManager();
$this->_admin = $this->fixture('Class_Users',
['id' => 2,
'login' => 'admin',
'password' => 'admin']);
$this->_admin->beAdminPortail()->save();
ZendAfi_Auth::getInstance()->logUser($this->_admin);
}
/** @test */
public function rootShouldNotBeAuthorized() {
$this->assertFalse($this->_filemanager->isAuthorized('/'));
}
/** @test */
public function upperDirectoryShouldNotBeAuthorized() {
$this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '../'));
}
}
?>
\ No newline at end of file
tests/library/Class/UsersTest.php
+ 0
3
View file @ 7db8d354
...@@ -19,9 +19,6 @@ ...@@ -19,9 +19,6 @@
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/ */
require_once 'Class/Newsletter.php';
require_once 'ModelTestCase.php';
class UserFixtures { class UserFixtures {
public static function miles() { public static function miles() {
return array('ID_USER' => 1, return array('ID_USER' => 1,
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment