From 69bfbf11c7e9487dfa96293aaa797ff14bb513f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Tue, 24 Mar 2009 12:24:45 +0000 Subject: [PATCH] Protect against inclusion of arbitrary file and HTTP header splitting. --- bs_disp_as_mime_type.php | 82 ++++++++++++++++++++++++---------------- bs_play_media.php | 3 +- 2 files changed, 52 insertions(+), 33 deletions(-) diff --git a/bs_disp_as_mime_type.php b/bs_disp_as_mime_type.php index 921f5d885..4a9bdc155 100644 --- a/bs_disp_as_mime_type.php +++ b/bs_disp_as_mime_type.php @@ -6,47 +6,65 @@ * @package BLOBStreaming */ +/** + * Core library. + */ +require_once './libraries/common.inc.php'; + +// load PMA configuration +$PMA_Config = $_SESSION['PMA_Config']; + +// retrieve BS server variables from PMA configuration +$bs_server = $PMA_Config->get('BLOBSTREAMING_SERVER'); +if (empty($bs_server)) die('No blob streaming server configured!'); + +// Check URL parameters +PMA_checkParameters(array('reference', 'c_type')); + +// Increase time limit, because fetching blob might take some time set_time_limit(0); -$filename = isset($_REQUEST['file_path']) ? $_REQUEST['file_path'] : NULL; -$c_type = isset($_REQUEST['c_type']) ? $_REQUEST['c_type'] : NULL; +$reference = $_REQUEST['reference']; +/* + * FIXME: Maybe it would be better to check MIME type against whitelist as + * this code sems to support only few MIME types (check + * function PMA_BS_CreateReferenceLink in libraries/blobstreaming.lib.php). + */ +$c_type = preg_replace('/[^A-Za-z0-9/_-]/', '_', $_REQUEST['c_type']); -if (isset($filename) && isset($c_type)) -{ - $hdrs = get_headers($filename, 1); +$filename = 'http://' . $bs_server . '/' . $reference; - if (is_array($hdrs)) - $f_size = $hdrs['Content-Length']; +$hdrs = get_headers($filename, 1); - header("Expires: 0"); - header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); - header("Cache-Control: no-store, no-cache, must-revalidate"); - header("Cache-Control: post-check=0, pre-check=0", false); - header("Pragma: no-cache"); - header("Content-type: $c_type"); - header('Content-length: ' . $f_size); - header("Content-disposition: attachment; filename=" . basename($filename)); +if ($hdrs === FALSE) die('Failed to fetch headers'); - $fHnd = fopen($filename, "rb"); +$fHnd = fopen($filename, "rb"); - if ($fHnd) - { - $pos = 0; - $content = ""; +if ($fHnd === FALSE) die('Failed to open remote URL'); - while (!feof($fHnd)) - { - $content .= fread($fHnd, $f_size); - $pos = strlen($content); +$f_size = $hdrs['Content-Length']; - if ($pos >= $f_size) - break; - } +header("Expires: 0"); +header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); +header("Cache-Control: no-store, no-cache, must-revalidate"); +header("Cache-Control: post-check=0, pre-check=0", false); +header("Pragma: no-cache"); +header("Content-type: $c_type"); +header('Content-length: ' . $f_size); +header("Content-disposition: attachment; filename=" . basename($filename)); - echo $content; - flush(); +$pos = 0; +$content = ""; - fclose($fHnd); - } +while (!feof($fHnd)) { + $content .= fread($fHnd, $f_size); + $pos = strlen($content); + + if ($pos >= $f_size) + break; } -?> + +echo $content; +flush(); + +fclose($fHnd); diff --git a/bs_play_media.php b/bs_play_media.php index 020c73c6c..d2bea0b30 100644 --- a/bs_play_media.php +++ b/bs_play_media.php @@ -40,7 +40,8 @@ $bs_file_path = "http://" . $bs_server . '/' . $bsReference; if (isset($customType) && $customType) - $bs_file_path = "bs_disp_as_mime_type.php?file_path=" . urlencode($bs_file_path) . "&c_type=" . urlencode($mediaType); + + $bs_file_path = 'bs_disp_as_mime_type.php' . PMA_generate_common_url(array('reference' => $bsReference, 'c_type' => $mediaType)); ?>