Resolve "OER-Campus: File upload vulnerabilities"

Closes #3586 and #3587 Merge request studip/studip!2480

Resolve "OER-Campus: File upload vulnerabilities"
77910a62 · André Noack · Elmar Ludwig · 36f74a0d · 77910a62 · 77910a62
Commit 77910a62 authored 1 year ago by André Noack Committed by Elmar Ludwig 1 year ago
--- a/app/controllers/oer/endpoints.php
+++ b/app/controllers/oer/endpoints.php
@@ -328,6 +328,15 @@ class Oer_EndpointsController extends StudipController
            throw new Exception(_('Die gewünschte Datei konnte nicht gefunden werden.'));
        }
        $filesize = filesize($this->material->getFilePath());
+        $content_type = $this->material['content_type'];
+        if (!in_array($content_type, get_mime_types())) {
+            $content_type = 'application/octet-stream';
+        }
+        if ($content_type === 'application/octet-stream') {
+            $content_disposition = 'attachment';
+        } else {
+            $content_disposition = $disposition === 'attachment' ? 'attachment' : 'inline';
+        }
        header("Accept-Ranges: bytes");
        $start = 0;
        $end = $filesize - 1;
@@ -373,8 +382,8 @@ class Oer_EndpointsController extends StudipController
            header("Cache-Control: no-store, no-cache, must-revalidate");   // HTTP/1.1
        }
        header("Cache-Control: post-check=0, pre-check=0", false);
-        header("Content-Type: ".$this->material['content_type']);
-        header("Content-Disposition: " . ($disposition ?: "inline") . "; " . encode_header_parameter('filename', $this->material['filename']));
+        header("Content-Type: " . $content_type);
+        header("Content-Disposition: " . $content_disposition . "; " . encode_header_parameter('filename', $this->material['filename']));

        readfile_chunked($this->material->getFilePath(), $start, $end);

@@ -392,10 +401,17 @@ class Oer_EndpointsController extends StudipController
    public function download_front_image_action($material_id)
    {
        $this->material = new OERMaterial($material_id);
-        $this->set_content_type($this->material['front_image_content_type']);
-        $this->response->add_header('Content-Disposition', 'inline');
-        $this->response->add_header('Content-Length', filesize($this->material->getFrontImageFilePath()));
-        $this->render_text(file_get_contents($this->material->getFrontImageFilePath()));
+        if (
+            stripos($this->material['front_image_content_type'], 'image') === 0
+            && stripos($this->material['front_image_content_type'], 'svg') === false
+        ) {
+            $this->set_content_type($this->material['front_image_content_type']);
+            $this->response->add_header('Content-Disposition', 'inline');
+            $this->response->add_header('Content-Length', filesize($this->material->getFrontImageFilePath()));
+            $this->render_text(file_get_contents($this->material->getFrontImageFilePath()));
+        } else {
+            throw new Trails_Exception(404);
+        }
    }

    /**

--- a/app/controllers/oer/market.php
+++ b/app/controllers/oer/market.php
@@ -8,6 +8,15 @@ class Oer_MarketController extends StudipController
    function before_filter(&$action, &$args)
    {
        parent::before_filter($action, $args);
+        if (
+            !Config::get()->OERCAMPUS_ENABLED
+            || (
+                Config::get()->OER_PUBLIC_STATUS !== 'nobody'
+                && !$GLOBALS['perm']->have_perm(Config::get()->OER_PUBLIC_STATUS)
+            )
+        ) {
+            throw new AccessDeniedException();
+        }
        Helpbar::Get()->addPlainText(
            _("Lernmaterialien"),
            _("Übungszettel, Musterlösungen, Vorlesungsmitschriften oder gar Folien, selbsterstellte Lernkarteikarten oder alte Klausuren. Das alles wird einmal erstellt und dann meist vergessen. Auf dem Lernmaterialienmarktplatz bleiben sie erhalten. Jeder kann was hochladen und jeder kann alles herunterladen. Alle Inhalte hier sind frei verfügbar für jeden.")
@@ -17,9 +26,6 @@ class Oer_MarketController extends StudipController

    public function index_action()
    {
-        if (!$GLOBALS['perm']->have_perm(Config::get()->OER_PUBLIC_STATUS)) {
-            throw new AccessDeniedException();
-        }
        if (Navigation::hasItem("/oer/market")) {
            Navigation::activateItem("/oer/market");
        }
@@ -153,9 +159,6 @@ class Oer_MarketController extends StudipController

    public function search_action()
    {
-        if (!$GLOBALS['perm']->have_perm(Config::get()->OER_PUBLIC_STATUS)) {
-            throw new AccessDeniedException();
-        }
        if (Navigation::hasItem("/oer/market")) {
            Navigation::activateItem("/oer/market");
        }

--- a/app/controllers/oer/mymaterial.php
+++ b/app/controllers/oer/mymaterial.php
@@ -7,6 +7,13 @@ class Oer_MymaterialController extends AuthenticatedController
    public function before_filter(&$action, &$args)
    {
        parent::before_filter($action, $args);
+        if (
+            !Config::get()->OERCAMPUS_ENABLED
+            ||
+            !$GLOBALS['perm']->have_perm(Config::get()->OER_PUBLIC_STATUS)
+        ) {
+            throw new AccessDeniedException();
+        }
        PageLayout::setTitle(_('Lernmaterialien'));
    }

@@ -47,7 +54,7 @@ class Oer_MymaterialController extends AuthenticatedController
            $material['host_id'] = null;
            $material['license_identifier'] = Request::get('license', 'CC-BY-SA-4.0');
            if (!empty($_FILES['file']['tmp_name'])) {
-                $material['content_type'] = $_FILES['file']['type'];
+                $material['content_type'] = get_mime_type($_FILES['file']['name']);
                if (in_array($material['content_type'], $content_types)) {
                    mkdir($tmp_folder);
                    \Studip\ZipArchive::extractToPath($_FILES['file']['tmp_name'], $tmp_folder);
@@ -73,8 +80,8 @@ class Oer_MymaterialController extends AuthenticatedController
            }


-            if (!empty($_FILES['image']['tmp_name'])) {
-                $material['front_image_content_type'] = $_FILES['image']['type'];
+            if (!empty($_FILES['image']['tmp_name']) && is_array(getimagesize($_FILES['image']['tmp_name']))) {
+                $material['front_image_content_type'] = get_mime_type($_FILES['image']['name']);
                move_uploaded_file($_FILES['image']['tmp_name'], $material->getFrontImageFilePath());
            } elseif (!empty($_SESSION['NEW_OER']['image_tmp_name'])) {
                $material['front_image_content_type'] = get_mime_type($_SESSION['NEW_OER']['image_tmp_name']);

--- a/app/controllers/oer/oai.php
+++ b/app/controllers/oer/oai.php
@@ -8,6 +8,13 @@
 class Oer_OaiController extends StudipController
 {

+    public function before_filter(&$action, &$args)
+    {
+        parent::before_filter($action, $args);
+        if (!Config::get()->OERCAMPUS_ENABLED) {
+            throw new AccessDeniedException();
+        }
+    }
    public function index_action()
    {
        $this->set_content_type('text/xml;charset=utf-8');

--- a/app/controllers/studip_controller.php
+++ b/app/controllers/studip_controller.php
@@ -504,8 +504,15 @@ abstract class StudipController extends Trails_Controller
        }

        if ($content_type === null) {
-            $finfo = finfo_open(FILEINFO_MIME_TYPE);
-            $content_type = finfo_file($finfo, $file);
+            $content_type = get_mime_type($filename ?: $file);
+        }
+
+        if (!in_array($content_type, get_mime_types())) {
+            $content_type = 'application/octet-stream';
+        }
+
+        if ($content_type === 'application/octet-stream') {
+            $content_disposition = 'attachment';
        }

        $this->set_content_type($content_type);