From 10e006bdbe7a0d0ff37e99412295eb47538ea929 Mon Sep 17 00:00:00 2001
From: Benjamin Sonntag <benjamin@sonntag.fr>
Date: Tue, 17 May 2016 18:12:57 +0200
Subject: [PATCH] [security] fixing DO_ACTIONS.PHP for REALPATH.

---
 src/do_actions.php | 76 ++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 70 insertions(+), 6 deletions(-)

diff --git a/src/do_actions.php b/src/do_actions.php
index b42bd580..e9fe7d0f 100644
--- a/src/do_actions.php
+++ b/src/do_actions.php
@@ -119,6 +119,24 @@ function execute_cmd($command, $parameters=array()) {
   return array('executed' => $cmd_line, 'output'=>$output, 'return_var'=>$code);
 }
 
+/** Check if a file or folder is in the list of allowed 
+ *  path (after dereferencing all ../ and symlinks
+ * @param $path string the path to check against 
+ * @return string the dereferenced path, or FALSE if the path is NOT allowed (/var/www/alternc /var/mail/alternc) 
+ */
+function my_realpath($path) {
+    global $L_ALTERNC_HTML, $L_ALTERNC_MAIL;
+    // add here any allowed path: 
+    $allowed=array(realpath($L_ALTERNC_HTML)."/", realpath($L_ALTERNC_MAIL)."/");
+    $path=realpath($path);
+    foreach($allowed as $one) {
+        // the path must be BELOW each allowed folder. forbid anything 
+        if (strlen($path)>strlen($one) && substr($path,0,strlen($one))==$one) {
+            return $path;
+        }
+    }
+    return false;
+}
 
 // Check if script isn't already running
 if (file_exists(ALTERNC_DO_ACTION_LOCK) !== false){
@@ -197,7 +215,11 @@ while ($rr=$action->get_action()){
       $returned = execute_cmd("$FIXPERM -u", $params["uid"]);
       break;
     case "CHMOD" :
-        $filename=$params["filename"];
+        $filename=my_realpath($params["filename"]);
+        if ($filename===false) {
+            $errorsList=array("Fail: path not allowed");
+            break;
+        }
         $perms=$params["perms"];
         // Checks the file or directory exists
         if( !is_dir($filename) && ! is_file($filename)){
@@ -214,6 +236,13 @@ while ($rr=$action->get_action()){
         
       break;
     case "CREATE_FILE" :
+        $dirname=my_realpath(dirname($params["filename"]));
+        $filename=basename($params["filename"]);
+        if ($dirname===false) {
+            $errorsList=array("Fail: path not allowed");
+            break;
+        }
+        $params["file"]=$dirname.DIRECTORY_SEPARATOR.$filename;
       if(!file_exists($params["file"])) {
         if ( file_put_contents($params["file"], $params["content"]) === false ) {
           $errorsList=array("Fail: can't write into file ".$params["file"]);
@@ -227,16 +256,41 @@ while ($rr=$action->get_action()){
       }
       break;
     case "CREATE_DIR" :
-      // Create the directory and make parent directories as needed
-      $returned = execute_cmd("$SU mkdir", array('-p', $params["dir"]));
+        $dirname=my_realpath(dirname($params["dir"]));
+        $filename=basename($params["dir"]);
+        if ($dirname===false) {
+            $errorsList=array("Fail: path not allowed");
+            break;
+        }
+        $params["dir"]=$dirname.DIRECTORY_SEPARATOR.$filename;
+        // Create the directory and make parent directories as needed
+        $returned = execute_cmd("$SU mkdir", array('-p', $params["dir"]));
       break;
     case "DELETE" :
-      // Delete file/directory and its contents recursively
-      $returned = execute_cmd("$SU rm", array('-rf', $params["dir"]));
+        $dirname=my_realpath($params["dir"]);
+        if ($dirname===false) {
+            $errorsList=array("Fail: path not allowed");
+            break;
+        }
+        // Delete file/directory and its contents recursively
+        $returned = execute_cmd("$SU rm", array('-rf', $dirname));
       break;
     case "MOVE" :
       // If destination dir does not exists, create it
-      if(!is_dir($params["dst"]))
+        $dirname=my_realpath(dirname($params["dst"]));
+        $filename=basename($params["dst"]);
+        if ($dirname===false) {
+            $errorsList=array("Fail: path not allowed");
+            break;
+        }
+        $params["dst"]=$dirname.DIRECTORY_SEPARATOR.$filename;
+        $params["src"]=my_realpath($params["src"]);
+        if ($params["src"]===false) {
+            $errorsList=array("Fail: path not allowed");
+            break;
+        }
+
+      if (!is_dir($params["dst"]))
         if ( @mkdir($params["dst"], 0777, true)) {
           if ( @chown($params["dst"], $r["user"]) ) {
             $returned = execute_cmd("$SU mv -f", array($params["src"], $params["dst"])); 
@@ -247,12 +301,22 @@ while ($rr=$action->get_action()){
         
       break;
     case "FIX_DIR" :
+        $params["dir"]=my_realpath($params["dir"]);
+        if ($params["dir"]===false) {
+            $errorsList=array("Fail: path not allowed");
+            break;
+        }
       $returned = execute_cmd($FIXPERM, array('-d', $params["dir"]));
       if($returned['return_val'] != 0) {
             $errorsList=array("Fixperms.sh failed, returned error code : ".$returned['return_val']);
       }
       break;
     case "FIX_FILE" :
+        $params["file"]=my_realpath($params["file"]);
+        if ($params["file"]===false) {
+            $errorsList=array("Fail: path not allowed");
+            break;
+        }
       $returned = execute_cmd($FIXPERM, array('-f', $params["file"]));
       if($returned['return_val'] != 0){
           $errorsList=array("Fixperms.sh failed, returned error code : ".$returned['return_val']);