Protect against inclusion of arbitrary file and HTTP header splitting.
This commit is contained in:
Michal Čihař
@@ -6,47 +6,65 @@
|
||||
* @package BLOBStreaming
|
||||
*/
|
||||
|
||||
/**
|
||||
* Core library.
|
||||
*/
|
||||
require_once './libraries/common.inc.php';
|
||||
|
||||
// load PMA configuration
|
||||
$PMA_Config = $_SESSION['PMA_Config'];
|
||||
|
||||
// retrieve BS server variables from PMA configuration
|
||||
$bs_server = $PMA_Config->get('BLOBSTREAMING_SERVER');
|
||||
if (empty($bs_server)) die('No blob streaming server configured!');
|
||||
|
||||
// Check URL parameters
|
||||
PMA_checkParameters(array('reference', 'c_type'));
|
||||
|
||||
// Increase time limit, because fetching blob might take some time
|
||||
set_time_limit(0);
|
||||
|
||||
$filename = isset($_REQUEST['file_path']) ? $_REQUEST['file_path'] : NULL;
|
||||
$c_type = isset($_REQUEST['c_type']) ? $_REQUEST['c_type'] : NULL;
|
||||
$reference = $_REQUEST['reference'];
|
||||
/*
|
||||
* FIXME: Maybe it would be better to check MIME type against whitelist as
|
||||
* this code sems to support only few MIME types (check
|
||||
* function PMA_BS_CreateReferenceLink in libraries/blobstreaming.lib.php).
|
||||
*/
|
||||
$c_type = preg_replace('/[^A-Za-z0-9/_-]/', '_', $_REQUEST['c_type']);
|
||||
|
||||
if (isset($filename) && isset($c_type))
|
||||
{
|
||||
$hdrs = get_headers($filename, 1);
|
||||
$filename = 'http://' . $bs_server . '/' . $reference;
|
||||
|
||||
if (is_array($hdrs))
|
||||
$f_size = $hdrs['Content-Length'];
|
||||
$hdrs = get_headers($filename, 1);
|
||||
|
||||
header("Expires: 0");
|
||||
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
|
||||
header("Cache-Control: no-store, no-cache, must-revalidate");
|
||||
header("Cache-Control: post-check=0, pre-check=0", false);
|
||||
header("Pragma: no-cache");
|
||||
header("Content-type: $c_type");
|
||||
header('Content-length: ' . $f_size);
|
||||
header("Content-disposition: attachment; filename=" . basename($filename));
|
||||
if ($hdrs === FALSE) die('Failed to fetch headers');
|
||||
|
||||
$fHnd = fopen($filename, "rb");
|
||||
$fHnd = fopen($filename, "rb");
|
||||
|
||||
if ($fHnd)
|
||||
{
|
||||
$pos = 0;
|
||||
$content = "";
|
||||
if ($fHnd === FALSE) die('Failed to open remote URL');
|
||||
|
||||
while (!feof($fHnd))
|
||||
{
|
||||
$f_size = $hdrs['Content-Length'];
|
||||
|
||||
header("Expires: 0");
|
||||
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
|
||||
header("Cache-Control: no-store, no-cache, must-revalidate");
|
||||
header("Cache-Control: post-check=0, pre-check=0", false);
|
||||
header("Pragma: no-cache");
|
||||
header("Content-type: $c_type");
|
||||
header('Content-length: ' . $f_size);
|
||||
header("Content-disposition: attachment; filename=" . basename($filename));
|
||||
|
||||
$pos = 0;
|
||||
$content = "";
|
||||
|
||||
while (!feof($fHnd)) {
|
||||
$content .= fread($fHnd, $f_size);
|
||||
$pos = strlen($content);
|
||||
|
||||
if ($pos >= $f_size)
|
||||
break;
|
||||
}
|
||||
|
||||
echo $content;
|
||||
flush();
|
||||
|
||||
fclose($fHnd);
|
||||
}
|
||||
}
|
||||
?>
|
||||
|
||||
echo $content;
|
||||
flush();
|
||||
|
||||
fclose($fHnd);
|
||||
|
||||
@@ -40,7 +40,8 @@
|
||||
$bs_file_path = "http://" . $bs_server . '/' . $bsReference;
|
||||
|
||||
if (isset($customType) && $customType)
|
||||
$bs_file_path = "bs_disp_as_mime_type.php?file_path=" . urlencode($bs_file_path) . "&c_type=" . urlencode($mediaType);
|
||||
|
||||
$bs_file_path = 'bs_disp_as_mime_type.php' . PMA_generate_common_url(array('reference' => $bsReference, 'c_type' => $mediaType));
|
||||
|
||||
?>
|
||||
<html>
|
||||
|
||||
Reference in New Issue
Block a user