Nemcio/CyberPanel
1
0
Fork 0
mirror of https://github.com/usmannasir/cyberpanel.git synced 2025-11-10 15:26:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

security improvements to fm

Browse Source
This commit is contained in:
Usman Nasir
2020-02-04 19:22:42 +05:00
parent a5517b27bb
commit e5ebbd1fdf
2 changed files with 38 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
filemanager/filemanager.py
View File

@@ -1,6 +1,5 @@
from django.shortcuts import HttpResponse from django.shortcuts import HttpResponse
import json import json
import subprocess, shlex
from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging
from plogical.processUtilities import ProcessUtilities from plogical.processUtilities import ProcessUtilities
from websiteFunctions.models import Websites from websiteFunctions.models import Websites
@@ -22,7 +21,7 @@ class FileManager:
def returnPathEnclosed(self, path): def returnPathEnclosed(self, path):
htmlParser = html.parser.HTMLParser() htmlParser = html.parser.HTMLParser()
path = htmlParser.unescape(path) path = html.unescape(path)
return path return path
return "'" + path + "'" return "'" + path + "'"
@@ -131,11 +130,11 @@ class FileManager:
domainName = self.data['domainName'] domainName = self.data['domainName']
website = Websites.objects.get(domain=domainName) website = Websites.objects.get(domain=domainName)
homePath = '/home/%s' % (domainName)
if self.data['fileName'].find('..') > -1: if self.data['fileName'].find('..') > -1 or self.data['fileName'].find(homePath) == -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
command = "touch " + self.returnPathEnclosed(self.data['fileName']) command = "touch " + self.returnPathEnclosed(self.data['fileName'])
ProcessUtilities.executioner(command, website.externalApp) ProcessUtilities.executioner(command, website.externalApp)
@@ -154,6 +153,11 @@ class FileManager:
domainName = self.data['domainName'] domainName = self.data['domainName']
website = Websites.objects.get(domain=domainName) website = Websites.objects.get(domain=domainName)
homePath = '/home/%s' % (domainName)
if self.data['folderName'].find('..') > -1 or self.data['folderName'].find(homePath) == -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
command = "mkdir " + self.returnPathEnclosed(self.data['folderName']) command = "mkdir " + self.returnPathEnclosed(self.data['folderName'])
ProcessUtilities.executioner(command, website.externalApp) ProcessUtilities.executioner(command, website.externalApp)
@@ -172,8 +176,14 @@ class FileManager:
domainName = self.data['domainName'] domainName = self.data['domainName']
website = Websites.objects.get(domain=domainName) website = Websites.objects.get(domain=domainName)
homePath = '/home/%s' % (domainName)
for item in self.data['fileAndFolders']: for item in self.data['fileAndFolders']:
if item.find('..') > -1 or item.find(homePath) == -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
command = 'rm -rf ' + self.returnPathEnclosed(self.data['path'] + '/' + item) command = 'rm -rf ' + self.returnPathEnclosed(self.data['path'] + '/' + item)
ProcessUtilities.executioner(command, website.externalApp) ProcessUtilities.executioner(command, website.externalApp)
@@ -192,7 +202,9 @@ class FileManager:
domainName = self.data['domainName'] domainName = self.data['domainName']
website = Websites.objects.get(domain=domainName) website = Websites.objects.get(domain=domainName)
if not self.data['newPath'].find(self.data['home']) > -1: homePath = '/home/%s' % (domainName)
if self.data['newPath'].find('..') > -1 or self.data['newPath'].find(homePath) == -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
if len(self.data['fileAndFolders']) == 1: if len(self.data['fileAndFolders']) == 1:
@@ -225,7 +237,9 @@ class FileManager:
domainName = self.data['domainName'] domainName = self.data['domainName']
website = Websites.objects.get(domain=domainName) website = Websites.objects.get(domain=domainName)
if not self.data['newPath'].find(self.data['home']) > -1: homePath = '/home/%s' % (domainName)
if self.data['newPath'].find('..') > -1 or self.data['newPath'].find(homePath) == -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
command = 'mkdir ' + self.returnPathEnclosed(self.data['newPath']) command = 'mkdir ' + self.returnPathEnclosed(self.data['newPath'])
@@ -251,7 +265,9 @@ class FileManager:
domainName = self.data['domainName'] domainName = self.data['domainName']
website = Websites.objects.get(domain=domainName) website = Websites.objects.get(domain=domainName)
if self.data['newFileName'].find('..') > -1: homePath = '/home/%s' % (domainName)
if self.data['newFileName'].find('..') > -1 or self.data['newFileName'].find(homePath) == -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
@@ -365,7 +381,9 @@ class FileManager:
domainName = self.data['domainName'] domainName = self.data['domainName']
website = Websites.objects.get(domain=domainName) website = Websites.objects.get(domain=domainName)
if not self.data['extractionLocation'].find(self.data['home']) > -1: homePath = '/home/%s' % (domainName)
if self.data['extractionLocation'].find('..') > -1 or self.data['extractionLocation'].find(homePath) == -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!') return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
if self.data['extractionType'] == 'zip': if self.data['extractionType'] == 'zip':
@@ -400,7 +418,14 @@ class FileManager:
self.data['basePath'] + '/' + self.data['compressedFileName'] + '.tar.gz') self.data['basePath'] + '/' + self.data['compressedFileName'] + '.tar.gz')
command = 'tar -czvf ' + compressedFileName + ' ' command = 'tar -czvf ' + compressedFileName + ' '
homePath = '/home/%s' % (domainName)
for item in self.data['listOfFiles']: for item in self.data['listOfFiles']:
if item.find('..') > -1 or item.find(
homePath) == -1:
return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
command = '%s%s ' % (command, self.returnPathEnclosed(item)) command = '%s%s ' % (command, self.returnPathEnclosed(item))

6
filemanager/views.py
View File

@@ -94,11 +94,15 @@ def downloadFile(request):
else: else:
return ACLManager.loadErrorJson('permissionsChanged', 0) return ACLManager.loadErrorJson('permissionsChanged', 0)
homePath = '/home/%s' % (domainName)
if fileToDownload.find('..') > -1 or fileToDownload.find(homePath) == -1:
return HttpResponse("Unauthorized access.")
response = HttpResponse(content_type='application/force-download') response = HttpResponse(content_type='application/force-download')
response['Content-Disposition'] = 'attachment; filename=%s' % (fileToDownload.split('/')[-1]) response['Content-Disposition'] = 'attachment; filename=%s' % (fileToDownload.split('/')[-1])
response['X-LiteSpeed-Location'] = '%s' % (fileToDownload) response['X-LiteSpeed-Location'] = '%s' % (fileToDownload)
logging.CyberCPLogFileWriter.writeToFile('test 2')
return response return response
except KeyError: except KeyError: