Fix: [ bug #1212 ] 'jqueryFileTree.php' directory traversal

vulnerability

ChangeLog

@@ -7,6 +7,7 @@ English Dolibarr ChangeLog
 Fix: Warning into bank conciliation feature.
 Fix: Bad get of localtaxes into contracts add lines.
 Fix: Add a limit into list to avoid browser to hang when database is too large.
+Fix: [ bug #1212 ] 'jqueryFileTree.php' directory traversal vulnerability
 
 ***** ChangeLog for 3.4.2 compared to 3.4.1 *****
 Fix: field's problem into company's page (RIB).

dev/dolibarr_changes.txt

@@ -53,3 +53,9 @@ window.location.href=pRef
 JCROP:
 ------
 * Remove analytics tag into file index.html
+
+
+JQUERYFILETREE:
+---------------
+* Remove directory htdocs/includes/jquery/plugins/jqueryFileTree/connectors
+

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.asp

-<%
-'
-' jQuery File Tree ASP (VBS) Connector
-' Copyright 2008 Chazzuka
-' programmer@chazzuka.com
-' http://www.chazzuka.com/
-'
-' retrive base directory
-dim BaseFileDir:BaseFileDir=Request.Form("dir")
-' if blank give default value
-if len(BaseFileDir)=0 then BaseFileDir="/userfiles/"
-
-dim ObjFSO,BaseFile,Html
-' resolve the absolute path
-BaseFile = Server.MapPath(BaseFileDir)&"\"
-' create FSO
-Set ObjFSO = Server.CreateObject("Scripting.FileSystemObject")
-' if given folder is exists
-if ObjFSO.FolderExists(BaseFile) then
-       dim ObjFolder,ObjSubFolder,ObjFile,i__Name,i__Ext
-       Html = Html +  "<ul class=""jqueryFileTree"" style=""display: none;"">"&VBCRLF
-       Set ObjFolder = ObjFSO.GetFolder(BaseFile)
-       ' LOOP THROUGH SUBFOLDER
-       For Each ObjSubFolder In ObjFolder.SubFolders
-               i__Name=ObjSubFolder.name
-               Html = Html + "<li class=""directory collapsed"">"&_
-                                         "<a href=""#"" rel="""+(BaseFileDir+i__Name+"/")+""">"&_
-                                         (i__Name)+"</a></li>"&VBCRLF
-       Next
-       'LOOP THROUGH FILES
-       For Each ObjFile In ObjFolder.Files
-               ' name
-               i__Name=ObjFile.name
-               ' extension
-               i__Ext = LCase(Mid(i__Name, InStrRev(i__Name, ".", -1, 1) + 1))
-               Html = Html + "<li class=""file ext_"&i__Ext&""">"&_
-                                         "<a href=""#"" rel="""+(BaseFileDir+i__Name)+""">"&_
-                                         (i__name)+"</a></li>"&VBCRLF
-       Next
-       Html = Html +  "</ul>"&VBCRLF
-end if
-
-Response.Write Html
-%>
\ No newline at end of file

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.aspx

-<%@ Page Language="C#" AutoEventWireup="true" %>
-
-<%
-	//
-	// jQuery File Tree ASP Connector
-	//
-	// Version 1.0
-	//
-	// Copyright (c)2008 Andrew Sweeny
-	// asweeny@fit.edu
-	// 24 March 2008
-	//
-	string dir;
-	if(Request.Form["dir"] == null || Request.Form["dir"].Length <= 0)
-		dir = "/";
-	else
-		dir = Server.UrlDecode(Request.Form["dir"]);
-	System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(dir);
-	Response.Write("<ul class=\"jqueryFileTree\" style=\"display: none;\">\n");
-	foreach (System.IO.DirectoryInfo di_child in di.GetDirectories())
-		Response.Write("\t<li class=\"directory collapsed\"><a href=\"#\" rel=\"" + dir + di_child.Name + "/\">" + di_child.Name + "</a></li>\n");
-	foreach (System.IO.FileInfo fi in di.GetFiles())
-	{
-		string ext = ""; 
-		if(fi.Extension.Length > 1)
-			ext = fi.Extension.Substring(1).ToLower();
-			
-		Response.Write("\t<li class=\"file ext_" + ext + "\"><a href=\"#\" rel=\"" + dir + fi.Name + "\">" + fi.Name + "</a></li>\n");		
-	}
-	Response.Write("</ul>");
- %>
\ No newline at end of file

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.cf

-<!---
-
-jQuery File Tree
-ColdFusion connector script
-By Tjarko Rikkerink (http://carlosgallupa.com/)
-
---->
-<cfparam name="form.dir" default="/somedir" />
-<cfdirectory action="LIST" directory="#expandpath('#URLDecode(form.dir)#')#" name="qDir" sort="type, name" type="all" listinfo="all" recurse="no">
-
-<ul class="jqueryFileTree" style="display: none;">
-       <cfoutput query="qDir">
-               <cfif type eq "dir">
-                   <li class="directory collapsed"><a href="##" rel="#URLDecode(form.dir)##name#/">#name#</a></li>
-               <cfelseif type eq "file">
-               <li class="file ext_#listLast(name,'.')#"><a href="##" rel="#URLDecode(form.dir)##name#">#name# (#round(size/1024)#KB)</a></li>
-               </cfif>
-       </cfoutput>
-</ul>
\ No newline at end of file

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp

-<%@ page
-	import="java.io.File,java.io.FilenameFilter,java.util.Arrays"%>
-<%
-/**
-  * jQuery File Tree JSP Connector
-  * Version 1.0
-  * Copyright 2008 Joshua Gould
-  * 21 April 2008
-*/	
-    String dir = request.getParameter("dir");
-    if (dir == null) {
-    	return;
-    }
-	
-	if (dir.charAt(dir.length()-1) == '\\') {
-    	dir = dir.substring(0, dir.length()-1) + "/";
-	} else if (dir.charAt(dir.length()-1) != '/') {
-	    dir += "/";
-	}
-	
-	dir = java.net.URLDecoder.decode(dir, "UTF-8");	
-	
-    if (new File(dir).exists()) {
-		String[] files = new File(dir).list(new FilenameFilter() {
-		    public boolean accept(File dir, String name) {
-				return name.charAt(0) != '.';
-		    }
-		});
-		Arrays.sort(files, String.CASE_INSENSITIVE_ORDER);
-		out.print("<ul class=\"jqueryFileTree\" style=\"display: none;\">");
-		// All dirs
-		for (String file : files) {
-		    if (new File(dir, file).isDirectory()) {
-				out.print("<li class=\"directory collapsed\"><a href=\"#\" rel=\"" + dir + file + "/\">"
-					+ file + "</a></li>");
-		    }
-		}
-		// All files
-		for (String file : files) {
-		    if (!new File(dir, file).isDirectory()) {
-				int dotIndex = file.lastIndexOf('.');
-				String ext = dotIndex > 0 ? file.substring(dotIndex + 1) : "";
-				out.print("<li class=\"file ext_" + ext + "\"><a href=\"#\" rel=\"" + dir + file + "\">"
-					+ file + "</a></li>");
-		    	}
-		}
-		out.print("</ul>");
-    }
-%>
\ No newline at end of file

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.php

-<?php
-//
-// jQuery File Tree PHP Connector
-//
-// Version 1.01
-//
-// Cory S.N. LaViska
-// A Beautiful Site (http://abeautifulsite.net/)
-// 24 March 2008
-//
-// History:
-//
-// 1.01 - updated to work with foreign characters in directory/file names (12 April 2008)
-// 1.00 - released (24 March 2008)
-//
-// Output a list of files for jQuery File Tree
-//
-
-$_POST['dir'] = urldecode($_POST['dir']);
-
-if( file_exists($root . $_POST['dir']) ) {
-	$files = scandir($root . $_POST['dir']);
-	natcasesort($files);
-	if( count($files) > 2 ) { /* The 2 accounts for . and .. */
-		echo "<ul class=\"jqueryFileTree\" style=\"display: none;\">";
-		// All dirs
-		foreach( $files as $file ) {
-			if( file_exists($root . $_POST['dir'] . $file) && $file != '.' && $file != '..' && is_dir($root . $_POST['dir'] . $file) ) {
-				echo "<li class=\"directory collapsed\"><a href=\"#\" rel=\"" . htmlentities($_POST['dir'] . $file) . "/\">" . htmlentities($file) . "</a></li>";
-			}
-		}
-		// All files
-		foreach( $files as $file ) {
-			if( file_exists($root . $_POST['dir'] . $file) && $file != '.' && $file != '..' && !is_dir($root . $_POST['dir'] . $file) ) {
-				$ext = preg_replace('/^.*\./', '', $file);
-				echo "<li class=\"file ext_$ext\"><a href=\"#\" rel=\"" . htmlentities($_POST['dir'] . $file) . "\">" . htmlentities($file) . "</a></li>";
-			}
-		}
-		echo "</ul>";	
-	}
-}
-
-?>
\ No newline at end of file

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.pl

-#!/usr/bin/perl
-use strict;
-use HTML::Entities ();
-
-#-----------------------------------------------------------
-#  jQuery File Tree Perl Connector
-#
-#  Version 1.0
-#
-#  Oleg Burlaca
-#  http://www.burlaca.com/2009/02/jquery-file-tree-connector/
-#  12 February 2009
-#-----------------------------------------------------------
-
-# for security reasons,  specify a root folder 
-# to prevent the whole filesystem to be shown
-# for ex: the root folder of your webbrowser
- 
-my $root = "/var/www/html/";
-
-#----------------------------------------------------------
-
-my $params = &getCGIParams();
-print "Content-type: text/html\n\n";
-
-my $dir = $params->{dir};
-my $fullDir = $root . $dir;
-
-exit if ! -e $fullDir;
-
-opendir(BIN, $fullDir) or die "Can't open $dir: $!";
-my (@folders, @files);
-my $total = 0;
-while( defined (my $file = readdir BIN) ) {
-    next if $file eq '.' or $file eq '..';
-    $total++;
-    if (-d "$fullDir/$file") {
-	push (@folders, $file);
-    } else {
-	push (@files, $file);
-    }
-}
-closedir(BIN);
-
-return if $total == 0;
-print "<ul class=\"jqueryFileTree\" style=\"display: none;\">";
-
-# print Folders
-foreach my $file (sort @folders) {
-    next if ! -e  $fullDir . $file;
-    
-    print '<li class="directory collapsed"><a href="#" rel="' . 
-          &HTML::Entities::encode($dir . $file) . '/">' . 
-          &HTML::Entities::encode($file) . '</a></li>';
-}
-
-# print Files
-foreach my $file (sort @files) {
-    next if ! -e  $fullDir . $file;
-
-    $file =~ /\.(.+)$/;
-    my $ext = $1;
-    print '<li class="file ext_' . $ext . '"><a href="#" rel="' . 
-    &HTML::Entities::encode($dir . $file) . '/">' .
-    &HTML::Entities::encode($file) . '</a></li>';
-}
-
-print "</ul>\n";
-
-
-
-
-#--------------------------------------------------------------------------------------------------
-sub getCGIParams {
-    my $line;
-    
-    if ($ENV{'REQUEST_METHOD'} eq "POST") {
-        read(STDIN, $line, $ENV{'CONTENT_LENGTH'});
-    } else {
-        $line = $ENV{'QUERY_STRING'};
-    }
-
-    my (@pairs) = split(/&/, $line);
-    my ($name, $value, %F);
-        
-    foreach (@pairs) {
-        ($name, $value) = split(/=/);
-        $value =~ tr/+/ /;
-        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
-        
-        if (! exists $F{$name}) {
-            $F{$name} = $value;
-        } elsif (exists $F{$name} and ref($F{$name}) ne 'ARRAY') {
-            my $prev_value = $F{$name};
-            delete $F{$name};
-            $F{$name} = [ $prev_value, $value ];
-	} else { push @{ $F{$name} }, $value }
-    }
-    return \%F;
-}
-#--------------------------------------------------------------------------------------------------                                                                                        
-                                                                    
\ No newline at end of file

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.py

-#
-# jQuery File Tree
-# Python/Django connector script
-# By Martin Skou
-#
-import os
-import urllib
-
-def dirlist(request):
-   r=['<ul class="jqueryFileTree" style="display: none;">']
-   try:
-       r=['<ul class="jqueryFileTree" style="display: none;">']
-       d=urllib.unquote(request.POST.get('dir','c:\\temp'))
-       for f in os.listdir(d):
-           ff=os.path.join(d,f)
-           if os.path.isdir(ff):
-               r.append('<li class="directory collapsed"><a href="#" rel="%s/">%s</a></li>' % (ff,f))
-           else:
-               e=os.path.splitext(f)[1][1:] # get .ext and remove dot
-               r.append('<li class="file ext_%s"><a href="#" rel="%s">%s</a></li>' % (e,ff,f))
-       r.append('</ul>')
-   except Exception,e:
-       r.append('Could not load directory: %s' % str(e))
-   r.append('</ul>')
-   return HttpResponse(''.join(r))
\ No newline at end of file

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.rb

-#
-# jQuery File Tree Ruby Connector
-#
-# Version 1.01
-#
-# Erik Lax
-# http://datahack.se
-# 13 July 2008
-#
-# History
-#
-# 1.01 Initial Release
-#
-# Output a list of files for jQuery File Tree
-#
-
-#<settings>
-#root = "/absolute/path/"
-# or
-root = File.expand_path(".")
-#</settings>
-
-#<code>
-require "cgi"
-cgi = CGI.new
-cgi.header("type" => "text/html")
-dir = cgi.params["dir"].to_s
-
-puts "<ul class=\"jqueryFileTree\" style=\"display: none;\">"
-begin
-	path = root + "/" + dir 
-
-	# chdir() to user requested dir (root + "/" + dir) 
-	Dir.chdir(File.expand_path(path).untaint);
-	
-	# check that our base path still begins with root path
-	if Dir.pwd[0,root.length] == root then
-
-		#loop through all directories
-		Dir.glob("*") {
-			|x|
-			if not File.directory?(x.untaint) then next end 
-			puts "<li class=\"directory collapsed\"><a href=\"#\" rel=\"#{dir}#{x}/\">#{x}</a></li>";
-		}
-
-		#loop through all files
-		Dir.glob("*") {
-			|x|
-			if not File.file?(x.untaint) then next end 
-			ext = File.extname(x)[1..-1]
-			puts "<li class=\"file ext_#{ext}\"><a href=\"#\" rel=\"#{dir}#{x}\">#{x}</a></li>"
-		}
-	else
-		#only happens when someone tries to go outside your root directory...
-		puts "You are way out of your league"
-	end 
-rescue 
-	puts "Internal Error"
-end
-puts "</ul>"
-#</code>

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree_huck.lasso

-[
-	//
-	// jQuery File Tree Lasso Connector
-	//
-	// Version 1.00
-	//
-	// Jason Huck
-	// http://devblog.jasonhuck.com/
-	// 1 May 2008
-	//
-	// History:
-	//
-	// 1.00 - released (1 May 2008)
-	//
-	// Output a list of files for jQuery File Tree
-	//
-
-	!action_param('dir') ? abort;
-	var('dir') = action_param('dir');
-	var('files') = file_listdirectory($dir);
-
-	'<ul class="jqueryFileTree" style="display: none;">';
-
-	iterate($files, local('file'));
-		#file->beginswith('.') ? loop_continue;
-	
-		if(#file->endswith('/'));
-			'<li class="directory collapsed"><a href="#" rel="' + $dir + #file + '">' + #file + '</a></li>';
-		else;
-			local('ext') = #file->split('.')->last;			
-			'<li class="file ext_' + #ext + '"><a href="#" rel="' + $dir + #file + '">' + #file + '</a></li>';
-		/if;
-	/iterate;
-	
-	'</ul>';
-]

htdocs/includes/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree_sabourdin.lasso

-<?LassoScript
-//
-// jQuery File Tree LASSO Connector
-//
-// Version 1.00
-//
-// Marc Sabourdin
-// CysNET (http://www.marcsabourdin.com/)
-// 23 May 2008
-//
-// History:
-//
-// 1.00 - released (23 May 2008)
-//
-// Output a list of files for jQuery File Tree
-//
-Encode_set:-EncodeNone;
-
-Variable:'root' = 'path_to_desired_and_Lasso_allowed_root';
-Variable:'_POST.dir' = (action_param:'dir');
-Variable:'files';
-
-
-if:( file_exists: ($root + $_POST.dir) )&&( File_IsDirectory:($root + $_POST.dir) );
-	$files = (File_ListDirectory:($root + $_POST.dir));
-	$files->(Sort);
-	if:( $files->(Size) > 0 );
-		output:'<ul class="jqueryFileTree" style="display: none;">';
-		// All dirs
-		Iterate:($files),(Local:'file');
-			if:( file_exists:($root + $_POST.dir + #file) )&&( #file != '.' )&&( #file != '..' )&&( File_IsDirectory:($root + $_POST.dir + #file) );
-				output:'<li class="directory collapsed"><a href="#" rel="' + (String_replace:($_POST.dir + #file),-Find=' ',-Replace='__') + '">' + (Encode_HTML:(#file)) + '</a></li>';
-			/if;
-		/Iterate;
-		// All files
-		Local:'ext';
-		Iterate:($files),(Local:'file');
-			if:( file_exists:($root + $_POST.dir + #file) )&&( #file != '.' )&&( #file != '..' )&&( (File_IsDirectory:($root + $_POST.dir + #file))==false );
-				#ext = (#file)->(Split:'.')->Last;
-				output:'<li class="file ext_' + (#ext) + '"><a href="' + ($_POST.dir + #file) + '">' + (Encode_HTML:(#file)) + '</a></li>';
-			/if;
-		/Iterate;
-		output:'</ul>';	
-	/if;
-/if;
-
-/Encode_set;
-?>
\ No newline at end of file