[Mapbender-commits] r10179 - trunk/mapbender/http/classes
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Thu Jul 4 02:00:30 PDT 2019
Author: armin11
Date: 2019-07-04 02:00:30 -0700 (Thu, 04 Jul 2019)
New Revision: 10179
Modified:
trunk/mapbender/http/classes/class_connector.php
Log:
Fix security - don't allow local file system requests thru connector class other than on tmp folder
Modified: trunk/mapbender/http/classes/class_connector.php
===================================================================
--- trunk/mapbender/http/classes/class_connector.php 2019-07-04 07:34:36 UTC (rev 10178)
+++ trunk/mapbender/http/classes/class_connector.php 2019-07-04 09:00:30 UTC (rev 10179)
@@ -67,6 +67,14 @@
//some firewalls have problems to allow requests from a server behind it to the same server through
//an internet connection. It can be that some requests are done thru this class to the urls of
//HTTP_AUTH_PROXY or OWSPROXY. If some of those are part of the url they must be exchanged with 127.0.0.1 - //which hopefully should work.
+ $testMatch = $url;
+ $localTmpFolder = 'file://'.str_replace('classes',ltrim(TMPDIR,'../'),dirname(__FILE__)).'/';
+ $pattern = '/^http:|https:|'.str_replace('/','\/',$localTmpFolder).'/';
+ //$e = new mb_exception('file://'.str_replace('classes',ltrim(TMPDIR,'../'),dirname(__FILE__)).'/');
+ if (!preg_match($pattern,$testMatch)){
+ $e = new mb_exception('classes/class_connector.php: Access to resource not allowed!');
+ return false;
+ }
//TODO: check if http is ok for all
$posPROXY = strpos($url,OWSPROXY);
//$e = new mb_exception('class_connector: old url: '.$url);
More information about the Mapbender_commits
mailing list