Fixed security issues.

2025-05-24 20:14:37 -04:00 · 2011-09-06 20:57:49 +02:00 · 2011-09-06 20:57:49 +02:00 · 8e21a3c038
commit 8e21a3c038
parent df30c67ade
10 changed files with 100 additions and 52 deletions
--- a/README.md
+++ b/README.md
@ -10,6 +10,12 @@ It uses the [Faenza icon set](http://tiheum.deviantart.com/art/Faenza-Icons-1733
 ## Changelog


+### v0.15.1 · *2011-09-06*
+
+* fixed security issues with the zipped download feature
+* made zipped download optional (but enabled by default)
+
+
 ### v0.15 · *2011-09-04*

 * added zipped download for selected files
--- a/build.properties
+++ b/build.properties
@ -3,7 +3,7 @@ custom                           = true

 # project
 project.name                     = h5ai
-project.version                  = 0.15
+project.version                  = 0.15.1


 # src
--- a/release/h5ai-0.15.1.tar.gz
+++ b/release/h5ai-0.15.1.tar.gz
--- a/release/h5ai-0.15.1.zip
+++ b/release/h5ai-0.15.1.zip
--- a/release/h5ai-0.15.tar.gz
+++ b/release/h5ai-0.15.tar.gz
--- a/src/h5ai/js/inc/h5ai.js
+++ b/src/h5ai/js/inc/h5ai.js
@ -28,7 +28,9 @@ var H5ai = function (options, langs) {
            dateFormat: "Y-m-d H:i",
            ignore: ["h5ai", "h5ai.header.html", "h5ai.footer.html"],
            ignoreRE: ["/^\\./"],
-            showThumbs: true
+            showThumbs: true,
+            
+            zippedDownload: true
        },
        settings = $.extend({}, defaults, options),
        pathClick = function (fn) {
@ -292,7 +294,7 @@ var H5ai = function (options, langs) {
                });
            });
        },
-        initSelect = function () {
+        initZippedDownload = function () {

            var x = 0,
                y = 0,
@ -362,9 +364,11 @@ var H5ai = function (options, langs) {
                    return false;
                };

-            $("body>nav,body>footer,#tree,#extended a").bind("mousedown", noSelection);
-            $("#extended a").live("mousedown", noSelection);
-            $window.bind("mousedown", selectionStart);
+            if (settings.zippedDownload) {
+                $("body>nav,body>footer,#tree,#extended a").bind("mousedown", noSelection);
+                $("#extended a").live("mousedown", noSelection);
+                $window.bind("mousedown", selectionStart);
+            }
        },
        init = function () {

@ -376,7 +380,7 @@ var H5ai = function (options, langs) {
            initLangSelector(langs);
            localize(langs, settings.lang, settings.useBrowserLang);
            initIndicators();
-            initSelect();
+            initZippedDownload();
        },
        h5ai = {
            settings: settings,
--- a/src/h5ai/options.js
+++ b/src/h5ai/options.js
@ -97,7 +97,13 @@ h5aiOptions = {
     * Only used in PHP implementation.
     * Show thumbnails in Icons view.
     */
-    "showThumbs": true
+    "showThumbs": true,
+
+    /*
+     * Enable zipped download of selected entries. Requieres
+     * PHP on the server.
+     */
+    "zippedDownload": true
 };


@ -117,7 +123,8 @@ h5aiLangs = {
        "parentDirectory": "Parent Directory",
        "empty": "empty",
        "folders": "folders",
-        "files": "files"
+        "files": "files",
+        "download": "download"
    },

    "de": {
@ -130,7 +137,8 @@ h5aiLangs = {
        "parentDirectory": "Übergeordnetes Verzeichnis",
        "empty": "leer",
        "folders": "Ordner",
-        "files": "Dateien"
+        "files": "Dateien",
+        "download": "Download"
    },

    "fr": {
@ -143,7 +151,8 @@ h5aiLangs = {
        "parentDirectory": "Dossier parent",
        "empty": "vide",
        "folders": "Répertoires",
-        "files": "Fichiers"
+        "files": "Fichiers",
+        "download": "download"
    },

    "nl": {
@ -155,8 +164,9 @@ h5aiLangs = {
        "size": "Grootte",
        "parentDirectory": "Bovenliggende map",
        "empty": "lege",
-        "folders": "[?folders?]",
-        "files": "[?files?]"
+        "folders": "folders",
+        "files": "files",
+        "download": "download"
    },

    "sv": {
@ -168,8 +178,9 @@ h5aiLangs = {
        "size": "Filstorlek",
        "parentDirectory": "Till överordnad mapp",
        "empty": "tom",
-        "folders": "[?folders?]",
-        "files": "[?files?]"
+        "folders": "folders",
+        "files": "files",
+        "download": "download"
    },

    "cs": {
@ -182,7 +193,8 @@ h5aiLangs = {
        "parentDirectory": "Nadřazený adresář",
        "empty": "prázdný",
        "folders": "složek",
-        "files": "souborů"
+        "files": "souborů",
+        "download": "download"
    },

    "sk": {
@ -195,7 +207,8 @@ h5aiLangs = {
        "parentDirectory": "Nadriadený priečinok",
        "empty": "prázdny",
        "folders": "priečinkov",
-        "files": "súborov"
+        "files": "súborov",
+        "download": "download"
    },

    "es": {
@ -207,8 +220,9 @@ h5aiLangs = {
        "size": "Tamaño",
        "parentDirectory": "Directorio superior",
        "empty": "vacío",
-        "folders": "[?folders?]",
-        "files": "[?files?]"
+        "folders": "folders",
+        "files": "files",
+        "download": "download"
    },

    "tr": {
@ -220,8 +234,9 @@ h5aiLangs = {
        "size": "Boyut",
        "parentDirectory": "Üst Dizin",
        "empty": "boş",
-        "folders": "[?folders?]",
-        "files": "[?files?]"
+        "folders": "folders",
+        "files": "files",
+        "download": "download"
    },

    "pt": {
@ -234,7 +249,8 @@ h5aiLangs = {
        "parentDirectory": "Diretório superior",
        "empty": "vazio",
        "folders": "pastas",
-        "files": "arquivos"
+        "files": "arquivos",
+        "download": "download"
    },

    "bg": {
@ -247,7 +263,8 @@ h5aiLangs = {
        "parentDirectory": "Предходна директория",
        "empty": "празно",
        "folders": "папки",
-        "files": "файлове"
+        "files": "файлове",
+        "download": "download"
    },

    "lv": {
@ -260,7 +277,8 @@ h5aiLangs = {
        "parentDirectory": "Vecākdirektorijs",
        "empty": "tukšs",
        "folders": "mapes",
-        "files": "faili"
+        "files": "faili",
+        "download": "download"
    },

    "zh-cn": {
@ -273,7 +291,8 @@ h5aiLangs = {
        "parentDirectory": "上层文件夹",
        "empty": "空文件夹",
        "folders": "文件夹",
-        "files": "文件"
+        "files": "文件",
+        "download": "download"
    },

    "pl": {
@ -286,7 +305,8 @@ h5aiLangs = {
        "parentDirectory": "Katalog nadrzędny",
        "empty": "pusty",
        "folders": "foldery",
-        "files": "pliki"
+        "files": "pliki",
+        "download": "download"
    },

    "ru": {
@ -299,6 +319,7 @@ h5aiLangs = {
        "parentDirectory": "Главная директория",
        "empty": "пусто",
        "folders": "папки",
-        "files": "файлы"
+        "files": "файлы",
+        "download": "download"
    }
 };
--- a/src/h5ai/php/h5ai.php
+++ b/src/h5ai/php/h5ai.php
@ -27,7 +27,7 @@ class H5ai {
        $this->sortOrder = array(
            "column" => array_key_exists("col", $_REQUEST) ? $_REQUEST["col"] : $defaultSortOrder["column"],
            "ascending" => array_key_exists("asc", $_REQUEST) ? $_REQUEST["asc"] !== "false" : $defaultSortOrder["ascending"]
-      );
+        );
        $this->dateFormat = $this->options["options"]["dateFormat"];
        $this->view = array_key_exists("view", $_REQUEST) ? $_REQUEST["view"] : $this->options["options"]["viewmodes"][0];
        if (!in_array($this->view, H5ai::$VIEWMODES)) {
@ -96,7 +96,14 @@ class H5ai {
        if ($absPath === null) {
            return $this->absHref;
        }
-        return $this->normalizePath(rawurlencode(preg_replace("!^" . $this->docRoot . "!", "", $absPath)), $endWithSlash);
+        $absHref = preg_replace("!^" . $this->docRoot . "!", "", $absPath);
+        $parts = explode("/", $absHref);
+        $encodedParts = array();
+        foreach ($parts as $part) {
+            $encodedParts[] = rawurlencode($part);
+        }
+        $endodedAbsHref = implode("/", $encodedParts);
+        return $this->normalizePath($endodedAbsHref, $endWithSlash);
    }

    public function getAbsPath($absHref = null) {
--- a/src/h5ai/php/zipcontent.php
+++ b/src/h5ai/php/zipcontent.php
@ -11,14 +11,18 @@ require_once "zipit.php";
 $h5ai = new H5ai();
 $zipit = new ZipIt($h5ai);

-$files = explode(":", trim($_REQUEST["hrefs"]));
+$hrefs = explode(":", trim($_REQUEST["hrefs"]));

-$zipFile = $zipit->zip($files);
+$zipFile = $zipit->zip($hrefs);

-header("Content-Disposition: attachment; filename=\"h5ai-selection.zip\"");
-header("Content-Type: application/force-download");
-header("Content-Length: " . filesize($zipFile));
-header("Connection: close");
-readfile($zipFile);
+if ($zipFile !== false) {
+    header("Content-Disposition: attachment; filename=\"h5ai-selection.zip\"");
+    header("Content-Type: application/force-download");
+    header("Content-Length: " . filesize($zipFile));
+    header("Connection: close");
+    readfile($zipFile);
+} else {
+    echo "sorry, something went wrong while building the zip.";
+}

 ?>
--- a/src/h5ai/php/zipit.php
+++ b/src/h5ai/php/zipit.php
@ -18,12 +18,16 @@ class ZipIt {
        }

        foreach ($hrefs as $href) {
-            $localFile = $this->h5ai->getAbsPath($href);
-            $file = preg_replace("!^" . $this->h5ai->getDocRoot() . "!", "", $localFile);
-            if (is_dir($localFile)) {
-                $this->zipDir($zip, $localFile, $file);
-            } else {
-                $this->zipFile($zip, $localFile, $file);
+            $d = dirname($href);
+            $n = basename($href);
+            if ($this->h5ai->getHttpCode($this->h5ai->getAbsHref($d)) === "h5ai" && !$this->h5ai->ignoreThisFile($n)) {
+                $localFile = $this->h5ai->getAbsPath($href);
+                $file = preg_replace("!^" . $this->h5ai->getDocRoot() . "!", "", $localFile);
+                if (is_dir($localFile)) {
+                    $this->zipDir($zip, $localFile, $file);
+                } else {
+                    $this->zipFile($zip, $localFile, $file);
+                }
            }
        }

@ -40,15 +44,17 @@ class ZipIt {

    private function zipDir($zip, $localDir, $dir) {
            
-        $zip->addEmptyDir($dir);
-        $files = $this->h5ai->readDir($localDir);
-        foreach ($files as $file) {
-            $localFile = $localDir . "/" . $file;
-            $file = $dir . "/" . $file;
-            if (is_dir($localFile)) {
-                $this->zipDir($zip, $localFile, $file);
-            } else {
-                $this->zipFile($zip, $localFile, $file);
+        if ($this->h5ai->getHttpCode($this->h5ai->getAbsHref($localDir)) === "h5ai") {
+            $zip->addEmptyDir($dir);
+            $files = $this->h5ai->readDir($localDir);
+            foreach ($files as $file) {
+                $localFile = $localDir . "/" . $file;
+                $file = $dir . "/" . $file;
+                if (is_dir($localFile)) {
+                    $this->zipDir($zip, $localFile, $file);
+                } else {
+                    $this->zipFile($zip, $localFile, $file);
+                }
            }
        }
    }