nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Protect against inclusion of arbitrary file and HTTP header splitting.

Browse Source
This commit is contained in:
Michal Čihař
2009-03-24 12:24:45 +00:00
parent 184934bb10
commit 69bfbf11c7
2 changed files with 52 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
bs_disp_as_mime_type.php
View File

@@ -6,47 +6,65 @@
* @package BLOBStreaming * @package BLOBStreaming
*/ */
/**
* Core library.
*/
require_once './libraries/common.inc.php';
// load PMA configuration
$PMA_Config = $_SESSION['PMA_Config'];
// retrieve BS server variables from PMA configuration
$bs_server = $PMA_Config->get('BLOBSTREAMING_SERVER');
if (empty($bs_server)) die('No blob streaming server configured!');
// Check URL parameters
PMA_checkParameters(array('reference', 'c_type'));
// Increase time limit, because fetching blob might take some time
set_time_limit(0); set_time_limit(0);
$filename = isset($_REQUEST['file_path']) ? $_REQUEST['file_path'] : NULL; $reference = $_REQUEST['reference'];
$c_type = isset($_REQUEST['c_type']) ? $_REQUEST['c_type'] : NULL; /*
* FIXME: Maybe it would be better to check MIME type against whitelist as
* this code sems to support only few MIME types (check
* function PMA_BS_CreateReferenceLink in libraries/blobstreaming.lib.php).
*/
$c_type = preg_replace('/[^A-Za-z0-9/_-]/', '_', $_REQUEST['c_type']);
if (isset($filename) && isset($c_type)) $filename = 'http://' . $bs_server . '/' . $reference;
{
$hdrs = get_headers($filename, 1);
if (is_array($hdrs)) $hdrs = get_headers($filename, 1);
$f_size = $hdrs['Content-Length'];
header("Expires: 0"); if ($hdrs === FALSE) die('Failed to fetch headers');
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
header("Content-type: $c_type");
header('Content-length: ' . $f_size);
header("Content-disposition: attachment; filename=" . basename($filename));
$fHnd = fopen($filename, "rb"); $fHnd = fopen($filename, "rb");
if ($fHnd) if ($fHnd === FALSE) die('Failed to open remote URL');
{
$pos = 0;
$content = "";
while (!feof($fHnd)) $f_size = $hdrs['Content-Length'];
{
header("Expires: 0");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
header("Content-type: $c_type");
header('Content-length: ' . $f_size);
header("Content-disposition: attachment; filename=" . basename($filename));
$pos = 0;
$content = "";
while (!feof($fHnd)) {
$content .= fread($fHnd, $f_size); $content .= fread($fHnd, $f_size);
$pos = strlen($content); $pos = strlen($content);
if ($pos >= $f_size) if ($pos >= $f_size)
break; break;
}
echo $content;
flush();
fclose($fHnd);
}
} }
?>
echo $content;
flush();
fclose($fHnd);

3
bs_play_media.php
View File

@@ -40,7 +40,8 @@
$bs_file_path = "http://" . $bs_server . '/' . $bsReference; $bs_file_path = "http://" . $bs_server . '/' . $bsReference;
if (isset($customType) && $customType) if (isset($customType) && $customType)
$bs_file_path = "bs_disp_as_mime_type.php?file_path=" . urlencode($bs_file_path) . "&c_type=" . urlencode($mediaType);
$bs_file_path = 'bs_disp_as_mime_type.php' . PMA_generate_common_url(array('reference' => $bsReference, 'c_type' => $mediaType));
?> ?>
<html> <html>