From 6332dbf05b4aeda865a4faf0ef3b02a5bebc66ec Mon Sep 17 00:00:00 2001
From: Andras Iklody <Andras.Iklody@ncirc.nato.int>
Date: Mon, 29 Apr 2013 10:52:07 +0200
Subject: [PATCH] Removal of more remnants of the old ACL and tightening of the
 filename checks

- actAs acl removed from role and user models together with some extra
code related to the ACL

- Fix of the filename regex as pointed out by cvandeplas.
---
 app/Controller/AttributesController.php       |  4 +--
 app/Controller/EventsController.php           |  2 +-
 app/Controller/ShadowAttributesController.php |  4 +--
 app/Model/Role.php                            | 10 +-----
 app/Model/User.php                            | 36 +------------------
 5 files changed, 7 insertions(+), 49 deletions(-)

diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php
index 067449a42..28dc072a7 100755
--- a/app/Controller/AttributesController.php
+++ b/app/Controller/AttributesController.php
@@ -329,13 +329,13 @@ class AttributesController extends AppController {
 			if ($this->request->data['Attribute']['malware']) {
 				$this->request->data['Attribute']['type'] = "malware-sample";
 				// Validate filename
-				if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
+				if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
 				$this->request->data['Attribute']['value'] = $filename . '|' . $tmpfile->md5(); // TODO gives problems with bigger files
 				$this->request->data['Attribute']['to_ids'] = 1; // LATER let user choose to send this to IDS
 			} else {
 				$this->request->data['Attribute']['type'] = "attachment";
 				// Validate filename
-				if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
+				if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
 				$this->request->data['Attribute']['value'] = $filename;
 				$this->request->data['Attribute']['to_ids'] = 0;
 			}
diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php
index c0e81dcea..c3e1f6535 100755
--- a/app/Controller/EventsController.php
+++ b/app/Controller/EventsController.php
@@ -1467,7 +1467,7 @@ class EventsController extends AppController {
 			$dir = new Folder($rootDir, true);
 			$destpath = $rootDir;
 			$file = new File ($destpath);
-			if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $this->data['Event']['submittedfile']['name'])) throw new Exception ('Filename not allowed');
+			if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $this->data['Event']['submittedfile']['name'])) throw new Exception ('Filename not allowed');
 			$zipfile = new File ($destpath . DS . $this->data['Event']['submittedfile']['name']);
 			$result = $zipfile->write($zipData);
 			if (!$result) $this->Session->setFlash(__('Problem with writing the zip file. Please report to administrator.'));
diff --git a/app/Controller/ShadowAttributesController.php b/app/Controller/ShadowAttributesController.php
index 0ab516b4e..f0dc5a3ef 100644
--- a/app/Controller/ShadowAttributesController.php
+++ b/app/Controller/ShadowAttributesController.php
@@ -351,13 +351,13 @@ class ShadowAttributesController extends AppController {
 			if ($this->request->data['ShadowAttribute']['malware']) {
 				$this->request->data['ShadowAttribute']['type'] = "malware-sample";
 				// Validate filename
-				if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
+				if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
 				$this->request->data['ShadowAttribute']['value'] = $filename . '|' . $tmpfile->md5(); // TODO gives problems with bigger files
 				$this->request->data['ShadowAttribute']['to_ids'] = 1; // LATER let user choose to send this to IDS
 			} else {
 				$this->request->data['ShadowAttribute']['type'] = "attachment";
 				// Validate filename
-				if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
+				if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
 				$this->request->data['ShadowAttribute']['value'] = $filename;
 				$this->request->data['ShadowAttribute']['to_ids'] = 0;
 			}
diff --git a/app/Model/Role.php b/app/Model/Role.php
index 255b334c1..293102e19 100755
--- a/app/Model/Role.php
+++ b/app/Model/Role.php
@@ -47,14 +47,12 @@ class Role extends AppModel {
 	);
 
 /**
- * TODO ACL: 1: be requester to CakePHP ACL system
  *
  * @var unknown_type
  */
 	public $actsAs = array(
-			'Acl' => array('type' => 'requester'),
-			'MagicTools.OrphansProtectable',
 			'Trim',
+			'MagicTools.OrphansProtectable',
 			'SysLogLogable.SysLogLogable' => array(	// TODO Audit, logable
 					'roleModel' => 'Role',
 					'roleKey' => 'role_id',
@@ -62,12 +60,6 @@ class Role extends AppModel {
 			),
 	);
 
-/**
- * TODO ACL: 2: hook Role into CakePHP ACL system (so link to aros)
- */
-	public function parentNode() {
-		return null;
-	}
 
 /**
  * Virtual field
diff --git a/app/Model/User.php b/app/Model/User.php
index f506a125e..48d10ff8a 100755
--- a/app/Model/User.php
+++ b/app/Model/User.php
@@ -74,7 +74,7 @@ class User extends AppModel {
 		'org_id' => array(
 			'notempty' => array(
 				'rule' => array('notempty'),
-				'message' => 'Please specify the organisation ID where you are working.',	// TODO ACL, org_id in Users
+				'message' => 'Please specify the organisation ID where you are working.',
 				//'allowEmpty' => false,
 				//'required' => false,
 				//'last' => false, // Stop validation after this rule
@@ -230,14 +230,7 @@ class User extends AppModel {
 		)
 	);
 
-/**
- * TODO ACL: 1: be requester to CakePHP ACL system
- */
 	public $actsAs = array(
-		'Acl' => array(	// TODO ACL, + 'enabled' => false
-			'type' => 'requester',
-			'enabled' => false
-		),
 		'SysLogLogable.SysLogLogable' => array(	// TODO Audit, logable
 			'userModel' => 'User',
 			'userKey' => 'user_id',
@@ -247,33 +240,6 @@ class User extends AppModel {
 		//'RemoveNewline' => array('fields' => array('gpgkey')),
 	);
 
-/**
- * TODO ACL: 2: hook User into CakePHP ACL system (so link to aros)
- */
-	public function parentNode() {
-		if (!$this->id && empty($this->data)) {
-			return null;
-		}
-		if (isset($this->data['User']['role_id'])) {
-			$roleId = $this->data['User']['role_id'];
-		} else {
-			$roleId = $this->field('role_id');
-		}
-		if (!$roleId) {
-			return null;
-		} else {
-			return array('Role' => array('id' => $roleId));
-		}
-	}
-
-/**
- * TODO ACL: 3: rights on Roles: http://stackoverflow.com/questions/6154285/aros-table-in-cakephp-is-still-including-users-even-after-bindnode
- */
-	public function bindNode($user) {
-		// return array('model' => 'Group', 'foreign_key' => $user['User']['role_id']);
-		return array('Role' => array('id' => $user['User']['role_id']));
-	}
-
 	public function beforeSave() {
 		if (isset($this->data[$this->alias]['password'])) {
 			$this->data[$this->alias]['password'] = AuthComponent::password($this->data[$this->alias]['password']);