Protect against inclusion of arbitrary file and HTTP header splitting.
This commit is contained in:
Michal Čihař
@@ -6,16 +6,42 @@
|
|||||||
* @package BLOBStreaming
|
* @package BLOBStreaming
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Core library.
|
||||||
|
*/
|
||||||
|
require_once './libraries/common.inc.php';
|
||||||
|
|
||||||
|
// load PMA configuration
|
||||||
|
$PMA_Config = $_SESSION['PMA_Config'];
|
||||||
|
|
||||||
|
// retrieve BS server variables from PMA configuration
|
||||||
|
$bs_server = $PMA_Config->get('BLOBSTREAMING_SERVER');
|
||||||
|
if (empty($bs_server)) die('No blob streaming server configured!');
|
||||||
|
|
||||||
|
// Check URL parameters
|
||||||
|
PMA_checkParameters(array('reference', 'c_type'));
|
||||||
|
|
||||||
|
// Increase time limit, because fetching blob might take some time
|
||||||
set_time_limit(0);
|
set_time_limit(0);
|
||||||
|
|
||||||
$filename = isset($_REQUEST['file_path']) ? $_REQUEST['file_path'] : NULL;
|
$reference = $_REQUEST['reference'];
|
||||||
$c_type = isset($_REQUEST['c_type']) ? $_REQUEST['c_type'] : NULL;
|
/*
|
||||||
|
* FIXME: Maybe it would be better to check MIME type against whitelist as
|
||||||
|
* this code sems to support only few MIME types (check
|
||||||
|
* function PMA_BS_CreateReferenceLink in libraries/blobstreaming.lib.php).
|
||||||
|
*/
|
||||||
|
$c_type = preg_replace('/[^A-Za-z0-9/_-]/', '_', $_REQUEST['c_type']);
|
||||||
|
|
||||||
|
$filename = 'http://' . $bs_server . '/' . $reference;
|
||||||
|
|
||||||
if (isset($filename) && isset($c_type))
|
|
||||||
{
|
|
||||||
$hdrs = get_headers($filename, 1);
|
$hdrs = get_headers($filename, 1);
|
||||||
|
|
||||||
if (is_array($hdrs))
|
if ($hdrs === FALSE) die('Failed to fetch headers');
|
||||||
|
|
||||||
|
$fHnd = fopen($filename, "rb");
|
||||||
|
|
||||||
|
if ($fHnd === FALSE) die('Failed to open remote URL');
|
||||||
|
|
||||||
$f_size = $hdrs['Content-Length'];
|
$f_size = $hdrs['Content-Length'];
|
||||||
|
|
||||||
header("Expires: 0");
|
header("Expires: 0");
|
||||||
@@ -27,15 +53,10 @@ if (isset($filename) && isset($c_type))
|
|||||||
header('Content-length: ' . $f_size);
|
header('Content-length: ' . $f_size);
|
||||||
header("Content-disposition: attachment; filename=" . basename($filename));
|
header("Content-disposition: attachment; filename=" . basename($filename));
|
||||||
|
|
||||||
$fHnd = fopen($filename, "rb");
|
|
||||||
|
|
||||||
if ($fHnd)
|
|
||||||
{
|
|
||||||
$pos = 0;
|
$pos = 0;
|
||||||
$content = "";
|
$content = "";
|
||||||
|
|
||||||
while (!feof($fHnd))
|
while (!feof($fHnd)) {
|
||||||
{
|
|
||||||
$content .= fread($fHnd, $f_size);
|
$content .= fread($fHnd, $f_size);
|
||||||
$pos = strlen($content);
|
$pos = strlen($content);
|
||||||
|
|
||||||
@@ -47,6 +68,3 @@ if (isset($filename) && isset($c_type))
|
|||||||
flush();
|
flush();
|
||||||
|
|
||||||
fclose($fHnd);
|
fclose($fHnd);
|
||||||
}
|
|
||||||
}
|
|
||||||
?>
|
|
||||||
|
|||||||
@@ -40,7 +40,8 @@
|
|||||||
$bs_file_path = "http://" . $bs_server . '/' . $bsReference;
|
$bs_file_path = "http://" . $bs_server . '/' . $bsReference;
|
||||||
|
|
||||||
if (isset($customType) && $customType)
|
if (isset($customType) && $customType)
|
||||||
$bs_file_path = "bs_disp_as_mime_type.php?file_path=" . urlencode($bs_file_path) . "&c_type=" . urlencode($mediaType);
|
|
||||||
|
$bs_file_path = 'bs_disp_as_mime_type.php' . PMA_generate_common_url(array('reference' => $bsReference, 'c_type' => $mediaType));
|
||||||
|
|
||||||
?>
|
?>
|
||||||
<html>
|
<html>
|
||||||
|
|||||||
Reference in New Issue
Block a user