security improvements to fm

2025-11-10 15:26:13 +01:00 · 2020-02-04 19:22:42 +05:00
parent a5517b27bb
commit e5ebbd1fdf
2 changed files with 38 additions and 9 deletions
--- a/filemanager/filemanager.py
+++ b/filemanager/filemanager.py
@@ -1,6 +1,5 @@
 from django.shortcuts import HttpResponse
 import json
-import subprocess, shlex
 from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging
 from plogical.processUtilities import ProcessUtilities
 from websiteFunctions.models import Websites
@@ -22,7 +21,7 @@ class FileManager:

    def returnPathEnclosed(self, path):
        htmlParser = html.parser.HTMLParser()
-        path = htmlParser.unescape(path)
+        path = html.unescape(path)
        return path
        return "'" + path + "'"

@@ -131,11 +130,11 @@ class FileManager:

            domainName = self.data['domainName']
            website = Websites.objects.get(domain=domainName)
+            homePath = '/home/%s' % (domainName)

-            if self.data['fileName'].find('..') > -1:
+            if self.data['fileName'].find('..') > -1 or self.data['fileName'].find(homePath) == -1:
                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')

-
            command = "touch " + self.returnPathEnclosed(self.data['fileName'])
            ProcessUtilities.executioner(command, website.externalApp)

@@ -154,6 +153,11 @@ class FileManager:
            domainName = self.data['domainName']
            website = Websites.objects.get(domain=domainName)

+            homePath = '/home/%s' % (domainName)
+
+            if self.data['folderName'].find('..') > -1 or self.data['folderName'].find(homePath) == -1:
+                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
+
            command = "mkdir " + self.returnPathEnclosed(self.data['folderName'])
            ProcessUtilities.executioner(command, website.externalApp)

@@ -172,8 +176,14 @@ class FileManager:

            domainName = self.data['domainName']
            website = Websites.objects.get(domain=domainName)
+            homePath = '/home/%s' % (domainName)

            for item in self.data['fileAndFolders']:
+
+                if item.find('..') > -1 or item.find(homePath) == -1:
+                    return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
+
+
                command = 'rm -rf ' + self.returnPathEnclosed(self.data['path'] + '/' + item)
                ProcessUtilities.executioner(command, website.externalApp)

@@ -192,7 +202,9 @@ class FileManager:
            domainName = self.data['domainName']
            website = Websites.objects.get(domain=domainName)

-            if not self.data['newPath'].find(self.data['home']) > -1:
+            homePath = '/home/%s' % (domainName)
+
+            if self.data['newPath'].find('..') > -1 or self.data['newPath'].find(homePath) == -1:
                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')

            if len(self.data['fileAndFolders']) == 1:
@@ -225,7 +237,9 @@ class FileManager:
            domainName = self.data['domainName']
            website = Websites.objects.get(domain=domainName)

-            if not self.data['newPath'].find(self.data['home']) > -1:
+            homePath = '/home/%s' % (domainName)
+
+            if self.data['newPath'].find('..') > -1 or self.data['newPath'].find(homePath) == -1:
                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')

            command = 'mkdir ' + self.returnPathEnclosed(self.data['newPath'])
@@ -251,7 +265,9 @@ class FileManager:
            domainName = self.data['domainName']
            website = Websites.objects.get(domain=domainName)

-            if self.data['newFileName'].find('..') > -1:
+            homePath = '/home/%s' % (domainName)
+
+            if self.data['newFileName'].find('..') > -1 or self.data['newFileName'].find(homePath) == -1:
                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')


@@ -365,7 +381,9 @@ class FileManager:
            domainName = self.data['domainName']
            website = Websites.objects.get(domain=domainName)

-            if not self.data['extractionLocation'].find(self.data['home']) > -1:
+            homePath = '/home/%s' % (domainName)
+
+            if self.data['extractionLocation'].find('..') > -1 or self.data['extractionLocation'].find(homePath) == -1:
                return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')

            if self.data['extractionType'] == 'zip':
@@ -400,7 +418,14 @@ class FileManager:
                    self.data['basePath'] + '/' + self.data['compressedFileName'] + '.tar.gz')
                command = 'tar -czvf ' + compressedFileName + ' '

+            homePath = '/home/%s' % (domainName)
+
            for item in self.data['listOfFiles']:
+
+                if item.find('..') > -1 or item.find(
+                        homePath) == -1:
+                    return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')
+
                command = '%s%s ' % (command, self.returnPathEnclosed(item))


--- a/filemanager/views.py
+++ b/filemanager/views.py
@@ -94,11 +94,15 @@ def downloadFile(request):
        else:
            return ACLManager.loadErrorJson('permissionsChanged', 0)

+        homePath = '/home/%s' % (domainName)
+
+        if fileToDownload.find('..') > -1 or fileToDownload.find(homePath) == -1:
+            return HttpResponse("Unauthorized access.")
+
        response = HttpResponse(content_type='application/force-download')
        response['Content-Disposition'] = 'attachment; filename=%s' % (fileToDownload.split('/')[-1])
        response['X-LiteSpeed-Location'] = '%s' % (fileToDownload)

-        logging.CyberCPLogFileWriter.writeToFile('test 2')
        return response

    except KeyError: