From 9364f0d931883bb5f17f22c4003ee59256f9efb6 Mon Sep 17 00:00:00 2001 From: Joe7 Date: Wed, 5 Jan 2011 23:31:50 +0100 Subject: Allow '..' segment in photo/album paths through file_proxy (as is not forbidden in other places like add album/item) and explitely look for /../ instead Note: directory path can't end in '.' forcibly so this shall be fine Fixes Ticket #1518 --- modules/gallery/controllers/file_proxy.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/gallery/controllers/file_proxy.php') diff --git a/modules/gallery/controllers/file_proxy.php b/modules/gallery/controllers/file_proxy.php index 22854fbd..5ce9b458 100644 --- a/modules/gallery/controllers/file_proxy.php +++ b/modules/gallery/controllers/file_proxy.php @@ -45,7 +45,7 @@ class File_Proxy_Controller extends Controller { $file_uri = substr($request_uri, strlen($var_uri)); // Make sure that we don't leave the var dir - if (strpos($file_uri, "..") !== false) { + if (strpos($file_uri, "/../") !== false) { throw new Kohana_404_Exception(); } -- cgit v1.2.3 From d557b2a63e2ea424965fb53be9f6b76ad3f18015 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Mon, 10 Jan 2011 14:50:30 -0800 Subject: Allow File_Proxy_Controller to run in private gallery mode since it does all the right permission checks. This prevents a hotlink to a private photo in a private gallery from kicking the user out to a login page. Fixes #1594. --- modules/gallery/controllers/file_proxy.php | 1 + 1 file changed, 1 insertion(+) (limited to 'modules/gallery/controllers/file_proxy.php') diff --git a/modules/gallery/controllers/file_proxy.php b/modules/gallery/controllers/file_proxy.php index 22854fbd..c6051dfd 100644 --- a/modules/gallery/controllers/file_proxy.php +++ b/modules/gallery/controllers/file_proxy.php @@ -27,6 +27,7 @@ * input is sanitized against the database before we perform any file I/O. */ class File_Proxy_Controller extends Controller { + const ALLOW_PRIVATE_GALLERY = true; public function __call($function, $args) { // request_uri: gallery3/var/trunk/albums/foo/bar.jpg $request_uri = rawurldecode(Input::instance()->server("REQUEST_URI")); -- cgit v1.2.3 From 7f6d87166df138073d85dd5201de8b9d19bc6cd2 Mon Sep 17 00:00:00 2001 From: Joe7 Date: Tue, 11 Jan 2011 23:16:05 +0100 Subject: Removed check as input value is compared against dataset of validated values, and request is only processed further in case of a match. => this is unnecessary --- modules/gallery/controllers/file_proxy.php | 5 ----- 1 file changed, 5 deletions(-) (limited to 'modules/gallery/controllers/file_proxy.php') diff --git a/modules/gallery/controllers/file_proxy.php b/modules/gallery/controllers/file_proxy.php index 5ce9b458..47e1e483 100644 --- a/modules/gallery/controllers/file_proxy.php +++ b/modules/gallery/controllers/file_proxy.php @@ -44,11 +44,6 @@ class File_Proxy_Controller extends Controller { $file_uri = substr($request_uri, strlen($var_uri)); - // Make sure that we don't leave the var dir - if (strpos($file_uri, "/../") !== false) { - throw new Kohana_404_Exception(); - } - list ($type, $path) = explode("/", $file_uri, 2); if ($type != "resizes" && $type != "albums" && $type != "thumbs") { throw new Kohana_404_Exception(); -- cgit v1.2.3 From 09d34696a12ae15f6c7378a64b2359465b2d7277 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Tue, 11 Jan 2011 17:54:33 -0800 Subject: Update comments to annotate what data is where during the process. Follow-on for #1518. --- modules/gallery/controllers/file_proxy.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'modules/gallery/controllers/file_proxy.php') diff --git a/modules/gallery/controllers/file_proxy.php b/modules/gallery/controllers/file_proxy.php index 0400d7c4..98f4e839 100644 --- a/modules/gallery/controllers/file_proxy.php +++ b/modules/gallery/controllers/file_proxy.php @@ -29,9 +29,11 @@ class File_Proxy_Controller extends Controller { const ALLOW_PRIVATE_GALLERY = true; public function __call($function, $args) { - // request_uri: gallery3/var/trunk/albums/foo/bar.jpg + // request_uri: gallery3/var/albums/foo/bar.jpg?m=1234 $request_uri = rawurldecode(Input::instance()->server("REQUEST_URI")); + // get rid of query parameters + // request_uri: gallery3/var/albums/foo/bar.jpg $request_uri = preg_replace("/\?.*/", "", $request_uri); // var_uri: gallery3/var/ @@ -43,8 +45,11 @@ class File_Proxy_Controller extends Controller { throw new Kohana_404_Exception(); } + // file_uri: albums/foo/bar.jpg $file_uri = substr($request_uri, strlen($var_uri)); + // type: albums + // path: foo/bar.jpg list ($type, $path) = explode("/", $file_uri, 2); if ($type != "resizes" && $type != "albums" && $type != "thumbs") { throw new Kohana_404_Exception(); -- cgit v1.2.3