From ff5b60a215769bcf046bb9109b61ffe6af0ca5eb Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Tue, 12 Feb 2013 10:01:46 +0000
Subject: bug 2844: increase security on LocalFiles Editor, filter on files to
 edit.

git-svn-id: http://piwigo.org/svn/branches/2.4@20712 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 plugins/LocalFilesEditor/include/tpl.inc.php | 51 ++++++++++++++++++----------
 1 file changed, 34 insertions(+), 17 deletions(-)

(limited to 'plugins/LocalFilesEditor/include/tpl.inc.php')

diff --git a/plugins/LocalFilesEditor/include/tpl.inc.php b/plugins/LocalFilesEditor/include/tpl.inc.php
index 1063b2238..4e985ac92 100644
--- a/plugins/LocalFilesEditor/include/tpl.inc.php
+++ b/plugins/LocalFilesEditor/include/tpl.inc.php
@@ -1,21 +1,34 @@
 <?php
-
 if (!defined('PHPWG_ROOT_PATH')) die('Hacking attempt!');
 
-$edited_file = isset($_POST['edited_file']) ? $_POST['edited_file'] : '';
-$content_file = '';
+$edited_file = '';
 
-if ((isset($_POST['edit'])) and !is_numeric($_POST['file_to_edit']))
+if (isset($_POST['edit']))
 {
-  $edited_file = $_POST['file_to_edit'];
-  if (file_exists($edited_file))
+  $_POST['template'] = $_POST['file_to_edit'];
+}
+
+if (!empty($_POST['template']))
+{
+  if (preg_match('#\.\./#', $_POST['template']))
   {
-    $content_file = file_get_contents($edited_file);
+    die('Hacking attempt! template extension must be in template-extension directory');
   }
-  else
+
+  if (!preg_match('#\.tpl$#', $_POST['template']))
   {
-    $content_file = '';
+    die('Hacking attempt! template extension must be a *.tpl file');
   }
+
+  $template->assign('template', $_POST['template']);
+  
+  $edited_file = './template-extension/'.$_POST['template'];
+}
+
+$content_file = '';
+if (file_exists($edited_file))
+{
+  $content_file = file_get_contents($edited_file);
 }
 
 $newfile_page = isset($_GET['newfile']);
@@ -50,6 +63,7 @@ if (isset($_POST['create_tpl']))
   }
   else
   {
+    $template->assign('template', $filename);
     $edited_file = $_POST['tpl_parent'] . '/' . $filename;
     $content_file = ($_POST['tpl_model'] == '0') ? '' : file_get_contents($_POST['tpl_model']);
   }
@@ -117,7 +131,7 @@ else
   $options[] = '----------------------';
   foreach (get_extents() as $pwg_template)
   {
-    $value = './template-extension/' . $pwg_template;
+    $value = $pwg_template;
     $options[$value] =  str_replace('/', ' / ', $pwg_template);
     if ($edited_file == $value) $selected = $value;
   }
@@ -126,13 +140,16 @@ else
     $options[$edited_file] =  str_replace(array('./template-extension/', '/'), array('', ' / '), $edited_file);
     $selected = $edited_file;
   }
-  $template->assign('css_lang_tpl', array(
-    'OPTIONS' => $options,
-    'SELECTED' => $selected,
-    'NEW_FILE_URL' => $my_base_url.'-tpl&amp;newfile',
-    'NEW_FILE_CLASS' => empty($edited_file) ? '' : 'top_right'
-    )
-  );
+  $template->assign(
+    'css_lang_tpl',
+    array(
+      'SELECT_NAME' => 'file_to_edit',
+      'OPTIONS' => $options,
+      'SELECTED' => $selected,
+      'NEW_FILE_URL' => $my_base_url.'-tpl&amp;newfile',
+      'NEW_FILE_CLASS' => empty($edited_file) ? '' : 'top_right'
+      )
+    );
 }
 
 $codemirror_mode = 'text/html';
-- 
cgit v1.2.3