mirror of https://github.com/MISP/MISP
fix: Removed filename check from the AppController
- rerouted all calls to the method to the Model equivalentpull/1493/head
parent
3c57dfb873
commit
80ed1cf65d
|
@ -652,8 +652,4 @@ class AppController extends Controller {
|
|||
$this->Session->setFlash('Caches cleared.');
|
||||
$this->redirect(array('controller' => 'servers', 'action' => 'serverSettings', 'diagnostics'));
|
||||
}
|
||||
|
||||
public function checkFilename($filename) {
|
||||
return preg_match('@^([a-z0-9_.]+[a-z0-9_.\- ]*[a-z0-9_.\-]|[a-z0-9_.])+$@i', $filename);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1884,7 +1884,7 @@ class EventsController extends AppController {
|
|||
$rootDir = APP . "files" . DS . $id . DS;
|
||||
App::uses('Folder', 'Utility');
|
||||
$dir = new Folder($rootDir, true);
|
||||
if (!$this->checkFilename($this->data['Event']['submittedgfi']['name'])) {
|
||||
if (!$this->Event->checkFilename($this->data['Event']['submittedgfi']['name'])) {
|
||||
throw new Exception ('Filename not allowed.');
|
||||
}
|
||||
$zipFile = new File($rootDir . $this->data['Event']['submittedgfi']['name']);
|
||||
|
@ -1912,7 +1912,7 @@ class EventsController extends AppController {
|
|||
public function _addIOCFile($id) {
|
||||
if (!empty($this->data) && $this->data['Event']['submittedioc']['size'] > 0 &&
|
||||
is_uploaded_file($this->data['Event']['submittedioc']['tmp_name'])) {
|
||||
if (!$this->checkFilename($this->data['Event']['submittedioc']['name'])) {
|
||||
if (!$this->Event->checkFilename($this->data['Event']['submittedioc']['name'])) {
|
||||
throw new Exception ('Filename not allowed.');
|
||||
}
|
||||
|
||||
|
@ -2835,7 +2835,7 @@ class EventsController extends AppController {
|
|||
App::uses('FileAccessTool', 'Tools');
|
||||
$tmpdir = Configure::read('MISP.tmpdir') ? Configure::read('MISP.tmpdir') : '/tmp';
|
||||
$tempFile = explode('|', $attribute['data']);
|
||||
if (!$this->checkFilename($tempFile[0])) {
|
||||
if (!$this->Event->checkFilename($tempFile[0])) {
|
||||
throw new Exception('Invalid filename.');
|
||||
}
|
||||
$attribute['data'] = (new FileAccessTool())->readFromFile($tmpdir . '/' . $tempFile[0], $tempFile[1]);
|
||||
|
|
|
@ -540,7 +540,7 @@ class ServersController extends AppController {
|
|||
App::uses('File', 'Utility');
|
||||
App::uses('Folder', 'Utility');
|
||||
App::uses('FileAccessTool', 'Tools');
|
||||
if (!$this->checkFilename($server['Server'][$subm]['name'])) {
|
||||
if (!$this->Server->checkFilename($server['Server'][$subm]['name'])) {
|
||||
throw new Exception ('Filename not allowed');
|
||||
}
|
||||
$file = new File($server['Server'][$subm]['name']);
|
||||
|
|
|
@ -327,7 +327,7 @@ class TemplatesController extends AppController {
|
|||
$this->loadModel('Attribute');
|
||||
$fails = 0;
|
||||
foreach ($attributes as $k => &$attribute) {
|
||||
if (isset($attribute['data']) && $this->checkFilename($attribute['data'])) {
|
||||
if (isset($attribute['data']) && $this->Template->checkFilename($attribute['data'])) {
|
||||
$file = new File(APP . 'tmp/files/' . $attribute['data']);
|
||||
$content = $file->read();
|
||||
$attribute['data'] = base64_encode($content);
|
||||
|
@ -370,7 +370,7 @@ class TemplatesController extends AppController {
|
|||
// filename checks
|
||||
foreach ($this->request->data['Template']['file'] as $k => $file) {
|
||||
if ($file['size'] > 0 && $file['error'] == 0) {
|
||||
if ($this->checkFilename($file['name'])) {
|
||||
if ($this->Template->checkFilename($file['name'])) {
|
||||
$fn = $this->Template->generateRandomFileName();
|
||||
move_uploaded_file($file['tmp_name'], APP . 'tmp/files/' . $fn);
|
||||
$filenames[] = $file['name'];
|
||||
|
@ -400,7 +400,7 @@ class TemplatesController extends AppController {
|
|||
if (!$this->request->is('post')) throw new MethodNotAllowedException('This action is restricted to accepting POST requests only.');
|
||||
if (!$this->request->is('ajax')) throw new MethodNotAllowedException('This action is only accessible through AJAX.');
|
||||
$this->autoRender = false;
|
||||
if ($this->checkFilename($filename)) {
|
||||
if ($this->Template->checkFilename($filename)) {
|
||||
$file = new File(APP . 'tmp/files/' . $filename);
|
||||
if ($file->exists()) {
|
||||
$file->delete();
|
||||
|
|
Loading…
Reference in New Issue