From 2c8abdac4142e8f8fc06f7c12f08025f2e5f02e6 Mon Sep 17 00:00:00 2001 From: Phyks Date: Sat, 21 Dec 2013 16:06:34 +0100 Subject: [PATCH 1/4] Automatic regeneration of index.html in temp if needed --- tipiak.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tipiak.php b/tipiak.php index 9dc26b6..40af9c3 100644 --- a/tipiak.php +++ b/tipiak.php @@ -1,5 +1,6 @@ 1){ $post=array_map("strip_tags",$_POST); From edc71c38ff4364e9efd1ddc96a2d23041a078c2a Mon Sep 17 00:00:00 2001 From: Phyks Date: Mon, 23 Dec 2013 13:35:16 +0100 Subject: [PATCH 2/4] Security update * Uniqid generated for each file => never store the file on the server with its real name. * Modified the glob function to remove these files. * Delete the downloaded files as soon as zip archive is generated. --- tipiak.php | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/tipiak.php b/tipiak.php index 40af9c3..9c1998e 100644 --- a/tipiak.php +++ b/tipiak.php @@ -1,6 +1,7 @@ 1){ $post=array_map("strip_tags",$_POST); @@ -9,14 +10,15 @@ foreach($post as $file){ $temp=file_curl_contents($file); $basetempfilename='temp/'.basename($file); - file_put_contents($basetempfilename,$temp); - $tozip[]=$basetempfilename; + $basetempfilename_secure='temp/'.uniqid(); + file_put_contents($basetempfilename_secure,$temp); + $tozip[]=array('basetempfilename'=>$basetempfilename, 'basetempfilename_secure'=>$basetempfilename_secure); } create_zip($tozip, $filename, true); header('location: '.$filename); }else{ //delete all temp files - $temp=glob('temp/*.*'); + $temp=glob('temp/*'); foreach ($temp as $file){if (basename($file)!='index.html'){unlink($file);}} } @@ -191,8 +193,8 @@ function create_zip($files = array(),$destination = '',$overwrite = false) { $valid_files = array(); if(is_array($files)) { foreach($files as $file) { - if(file_exists($file)) { - $valid_files[] = $file; + if(file_exists($file['basetempfilename_secure'])) { + $valid_files[] = $file; } } } @@ -202,9 +204,12 @@ function create_zip($files = array(),$destination = '',$overwrite = false) { return false; } foreach($valid_files as $file) { - $zip->addFile($file,$file); + $zip->addFile($file['basetempfilename_secure'],$file['basetempfilename']); } $zip->close(); + foreach($valid_files as $file) { + unlink($file['basetempfilename_secure']); + } return file_exists($destination); }else{ return false; } } From 51653bb75dc7b389bc6427b65ab5d56df09d7f57 Mon Sep 17 00:00:00 2001 From: Phyks Date: Mon, 23 Dec 2013 18:05:23 +0100 Subject: [PATCH 3/4] Security update for temp/ dir As discussed here : https://github.com/broncowdd/tipiak/commit/4a47c06fef4624af8468ec27e654aac09b539f40#commitcomment-4929833 Automatically add a .htaccess file in temp/ dir to serve files as plain text and not executing them. --- tipiak.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tipiak.php b/tipiak.php index 9c1998e..61a44bb 100644 --- a/tipiak.php +++ b/tipiak.php @@ -1,6 +1,7 @@ 1){ From e3c61ab2ee007d125397e82cdcce72cfb953d826 Mon Sep 17 00:00:00 2001 From: Phyks Date: Mon, 23 Dec 2013 18:11:47 +0100 Subject: [PATCH 4/4] Bug in last commit Forgot about zip files to be served as zip :/ --- tipiak.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tipiak.php b/tipiak.php index 61a44bb..f52fd47 100644 --- a/tipiak.php +++ b/tipiak.php @@ -1,7 +1,7 @@ \n\tForceType application/zip\n");} // handle the post packing of files if ($_POST&&count($_POST)>1){