mirror of https://github.com/MISP/MISP
Removal of more remnants of the old ACL and tightening of the filename
checks - actAs acl removed from role and user models together with some extra code related to the ACL - Fix of the filename regex as pointed out by cvandeplas.pull/64/merge
parent
0eec208b45
commit
6332dbf05b
|
@ -329,13 +329,13 @@ class AttributesController extends AppController {
|
|||
if ($this->request->data['Attribute']['malware']) {
|
||||
$this->request->data['Attribute']['type'] = "malware-sample";
|
||||
// Validate filename
|
||||
if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
|
||||
if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
|
||||
$this->request->data['Attribute']['value'] = $filename . '|' . $tmpfile->md5(); // TODO gives problems with bigger files
|
||||
$this->request->data['Attribute']['to_ids'] = 1; // LATER let user choose to send this to IDS
|
||||
} else {
|
||||
$this->request->data['Attribute']['type'] = "attachment";
|
||||
// Validate filename
|
||||
if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
|
||||
if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
|
||||
$this->request->data['Attribute']['value'] = $filename;
|
||||
$this->request->data['Attribute']['to_ids'] = 0;
|
||||
}
|
||||
|
|
|
@ -1467,7 +1467,7 @@ class EventsController extends AppController {
|
|||
$dir = new Folder($rootDir, true);
|
||||
$destpath = $rootDir;
|
||||
$file = new File ($destpath);
|
||||
if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $this->data['Event']['submittedfile']['name'])) throw new Exception ('Filename not allowed');
|
||||
if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $this->data['Event']['submittedfile']['name'])) throw new Exception ('Filename not allowed');
|
||||
$zipfile = new File ($destpath . DS . $this->data['Event']['submittedfile']['name']);
|
||||
$result = $zipfile->write($zipData);
|
||||
if (!$result) $this->Session->setFlash(__('Problem with writing the zip file. Please report to administrator.'));
|
||||
|
|
|
@ -351,13 +351,13 @@ class ShadowAttributesController extends AppController {
|
|||
if ($this->request->data['ShadowAttribute']['malware']) {
|
||||
$this->request->data['ShadowAttribute']['type'] = "malware-sample";
|
||||
// Validate filename
|
||||
if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
|
||||
if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
|
||||
$this->request->data['ShadowAttribute']['value'] = $filename . '|' . $tmpfile->md5(); // TODO gives problems with bigger files
|
||||
$this->request->data['ShadowAttribute']['to_ids'] = 1; // LATER let user choose to send this to IDS
|
||||
} else {
|
||||
$this->request->data['ShadowAttribute']['type'] = "attachment";
|
||||
// Validate filename
|
||||
if (!preg_match('@[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
|
||||
if (!preg_match('@^[\w-,\s]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
|
||||
$this->request->data['ShadowAttribute']['value'] = $filename;
|
||||
$this->request->data['ShadowAttribute']['to_ids'] = 0;
|
||||
}
|
||||
|
|
|
@ -47,14 +47,12 @@ class Role extends AppModel {
|
|||
);
|
||||
|
||||
/**
|
||||
* TODO ACL: 1: be requester to CakePHP ACL system
|
||||
*
|
||||
* @var unknown_type
|
||||
*/
|
||||
public $actsAs = array(
|
||||
'Acl' => array('type' => 'requester'),
|
||||
'MagicTools.OrphansProtectable',
|
||||
'Trim',
|
||||
'MagicTools.OrphansProtectable',
|
||||
'SysLogLogable.SysLogLogable' => array( // TODO Audit, logable
|
||||
'roleModel' => 'Role',
|
||||
'roleKey' => 'role_id',
|
||||
|
@ -62,12 +60,6 @@ class Role extends AppModel {
|
|||
),
|
||||
);
|
||||
|
||||
/**
|
||||
* TODO ACL: 2: hook Role into CakePHP ACL system (so link to aros)
|
||||
*/
|
||||
public function parentNode() {
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Virtual field
|
||||
|
|
|
@ -74,7 +74,7 @@ class User extends AppModel {
|
|||
'org_id' => array(
|
||||
'notempty' => array(
|
||||
'rule' => array('notempty'),
|
||||
'message' => 'Please specify the organisation ID where you are working.', // TODO ACL, org_id in Users
|
||||
'message' => 'Please specify the organisation ID where you are working.',
|
||||
//'allowEmpty' => false,
|
||||
//'required' => false,
|
||||
//'last' => false, // Stop validation after this rule
|
||||
|
@ -230,14 +230,7 @@ class User extends AppModel {
|
|||
)
|
||||
);
|
||||
|
||||
/**
|
||||
* TODO ACL: 1: be requester to CakePHP ACL system
|
||||
*/
|
||||
public $actsAs = array(
|
||||
'Acl' => array( // TODO ACL, + 'enabled' => false
|
||||
'type' => 'requester',
|
||||
'enabled' => false
|
||||
),
|
||||
'SysLogLogable.SysLogLogable' => array( // TODO Audit, logable
|
||||
'userModel' => 'User',
|
||||
'userKey' => 'user_id',
|
||||
|
@ -247,33 +240,6 @@ class User extends AppModel {
|
|||
//'RemoveNewline' => array('fields' => array('gpgkey')),
|
||||
);
|
||||
|
||||
/**
|
||||
* TODO ACL: 2: hook User into CakePHP ACL system (so link to aros)
|
||||
*/
|
||||
public function parentNode() {
|
||||
if (!$this->id && empty($this->data)) {
|
||||
return null;
|
||||
}
|
||||
if (isset($this->data['User']['role_id'])) {
|
||||
$roleId = $this->data['User']['role_id'];
|
||||
} else {
|
||||
$roleId = $this->field('role_id');
|
||||
}
|
||||
if (!$roleId) {
|
||||
return null;
|
||||
} else {
|
||||
return array('Role' => array('id' => $roleId));
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* TODO ACL: 3: rights on Roles: http://stackoverflow.com/questions/6154285/aros-table-in-cakephp-is-still-including-users-even-after-bindnode
|
||||
*/
|
||||
public function bindNode($user) {
|
||||
// return array('model' => 'Group', 'foreign_key' => $user['User']['role_id']);
|
||||
return array('Role' => array('id' => $user['User']['role_id']));
|
||||
}
|
||||
|
||||
public function beforeSave() {
|
||||
if (isset($this->data[$this->alias]['password'])) {
|
||||
$this->data[$this->alias]['password'] = AuthComponent::password($this->data[$this->alias]['password']);
|
||||
|
|
Loading…
Reference in New Issue