Merge pull request from GHSA-rm52-jx9h-rwcp

- Prevent removal of any plugin file from unauthenticated user - Prevent access to files outside plugins directories - Prevent access to files from inactive plugins - Limit access to images and fix content-type - Add changelog entry
glpi-project · Oct 6, 2020 · 6ca9a0e · 6ca9a0e
1 parent f021f1f
commit 6ca9a0e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ The present file will list all changes made to the project; according to the
 #### Removed
 
 - Ability to use SQL expressions as string in criterion values in SQL iterator (replaced by usage of `QueryExpression`).
+- Ability to delete a plugin image using `/front/pluginimage.send.php` script.
 
 ## [9.5.1] 2020-07-16
 

diff --git a/front/pluginimage.send.php b/front/pluginimage.send.php
@@ -43,34 +43,36 @@
 
 include ('../inc/includes.php');
 
-if (!isset($_GET["name"]) || !isset($_GET["plugin"])) {
+if (!isset($_GET["name"]) || !isset($_GET["plugin"]) || !Plugin::isPluginActive($_GET["plugin"])) {
    Event::log("-1", "system", 2, "security",
               //TRANS: %s is user name
               sprintf(__('%s makes a bad usage.'), $_SESSION["glpiname"]));
    die("security");
 }
 
+$dir = GLPI_PLUGIN_DOC_DIR."/".$_GET["plugin"]."/";
+$filepath = $dir.$_GET["name"];
+
 if ((basename($_GET["name"]) != $_GET["name"])
-    || (basename($_GET["plugin"]) != $_GET["plugin"])) {
+    || (basename($_GET["plugin"]) != $_GET["plugin"])
+    || !Toolbox::startsWith(realpath($filepath), realpath(GLPI_PLUGIN_DOC_DIR))
+    || !Document::isImage($filepath)) {
 
    Event::log("-1", "system", 1, "security",
               sprintf(__('%s tries to use a non standard path.'), $_SESSION["glpiname"]));
    die("security");
 }
-$Path = GLPI_PLUGIN_DOC_DIR."/".$_GET["plugin"]."/";
 
 // Now send the file with header() magic
 header("Expires: Sun, 30 Jan 1966 06:30:00 GMT");
 header('Pragma: private'); /// IE BUG + SSL
 header('Cache-control: private, must-revalidate'); /// IE BUG + SSL
 header('Content-disposition: filename="' . $_GET["name"] . '"');
-header("Content-type: image/png");
 
-if (file_exists($Path.$_GET["name"])) {
-   readfile($Path.$_GET["name"]);
-   if (isset($_GET["clean"])) {
-      unlink($Path.$_GET["name"]);
-   }
+if (file_exists($filepath)) {
+   header("Content-type: " . Toolbox::getMime($filepath));
+   readfile($filepath);
 } else {
+   header("Content-type: image/png");
    readfile($CFG_GLPI['root_doc'] . "/pics/warning.png");
 }