Harden controllers and password randomness

Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>

controllers/d.admin.php

@@ -24,7 +24,10 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
 			if ($user->rankIsHigher("moderator")) {
 			$head['title'] = "Logs";
 
+			$output = array();
 			$files_list = scandir($config['logs_folder']);
+			$logs_folder = realpath($config['logs_folder']);
+			$logs_folder_root = $logs_folder !== false ? rtrim($logs_folder, DIRECTORY_SEPARATOR) : null;
 
 				if (isset($controller->splitted_url[2]) && is_numeric($controller->splitted_url[2]) && intval($controller->splitted_url[2]) < count($files_list)-2) {
 					$filenb = $controller->splitted_url[2];
@@ -33,8 +36,15 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
 					$filenb = 0;
 				}
 
-				chdir($config['logs_folder']);
-				exec("tail -n 200 ".$files_list[$filenb+2]." | tac", $output);
+			$log_file = $files_list[$filenb+2] ?? null;
+			if ($logs_folder_root && $log_file) {
+				$log_file = basename($log_file);
+				$log_path = $logs_folder_root . DIRECTORY_SEPARATOR . $log_file;
+				$real_log_path = realpath($log_path);
+				if ($real_log_path && str_starts_with($real_log_path, $logs_folder_root . DIRECTORY_SEPARATOR)) {
+					exec("tail -n 200 ".escapeshellarg($real_log_path)." | tac", $output);
+				}
+			}
 
 				include ($config['views_folder']."d.admin.logs.html");
 			}
@@ -48,32 +58,37 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
 				$head['title'] = "Fichiers attachés au wiki";
 				$rows_per_pages = 50;
 			$files_folder = $config['medias_folder']."wiki/";
+			$files_folder_real = realpath($files_folder);
+			$files_folder_root = $files_folder_real !== false ? rtrim($files_folder_real, DIRECTORY_SEPARATOR) : rtrim($files_folder, DIRECTORY_SEPARATOR);
 
 					// Delete a file
 				if ($user->rankIsHigher("administrator")) {
 				if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='delete' && isset($controller->splitted_url[3])) {
-						$filename=$files_folder.$controller->splitted_url[3];
-						if (file_exists($filename)) {
-							unlink($filename);
-							error_log(date('r')." \t".$user->name." (".$user->id.") \tDELETE \tDelete wiki file '".$controller->splitted_url[3]."'\r\n",3,$config['logs_folder'].'wiki-files.log');
+					$safe_name = basename($controller->splitted_url[3]);
+					$filename = $files_folder_root . DIRECTORY_SEPARATOR . $safe_name;
+					$real_filename = realpath($filename);
+					if ($real_filename && str_starts_with($real_filename, $files_folder_root . DIRECTORY_SEPARATOR)) {
+						unlink($real_filename);
+						error_log(date('r')." \t".$user->name." (".$user->id.") \tDELETE \tDelete wiki file '".$safe_name."'\r\n",3,$config['logs_folder'].'wiki-files.log');
 					}
 				}
 				}
 
 					// Add a file
 				if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='upload' && isset($_FILES['file'])) {
-					$filename=$config['medias_folder']."wiki/".$_FILES['file']['name'];
-					if(move_uploaded_file($_FILES['file']['tmp_name'], $filename)) {
-						error_log(date('r')." \t".$user->name." (".$user->id.") \tUPLOAD Upload wiki file '".$_FILES['file']['name']."'\r\n",3,$config['logs_folder'].'wiki-files.log');
+					$safe_name = basename($_FILES['file']['name']);
+					$filename = $files_folder_root . DIRECTORY_SEPARATOR . $safe_name;
+					if($safe_name !== '' && move_uploaded_file($_FILES['file']['tmp_name'], $filename)) {
+						error_log(date('r')." \t".$user->name." (".$user->id.") \tUPLOAD Upload wiki file '".$safe_name."'\r\n",3,$config['logs_folder'].'wiki-files.log');
 					}
 
 				}
 
 					// Get the file list
-				$files_list = scandir($files_folder);
+			$files_list = scandir($files_folder_root);
 					// Populate table
 				foreach ($files_list as $file) {
-					$file_path = $files_folder.$file;
+					$file_path = $files_folder_root . DIRECTORY_SEPARATOR . $file;
 
 					if (is_file($file_path)) {
 						$file_info = [
@@ -158,7 +173,16 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
 				$head['title'] = "Export SQL";
 
 			if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='delete' && isset($controller->splitted_url[3])) {
-					unlink($config['abs_root_folder'].'tmp/'.$controller->splitted_url[3]);
+				$tmp_folder = realpath($config['abs_root_folder'].'tmp');
+				if ($tmp_folder !== false) {
+					$safe_name = basename($controller->splitted_url[3]);
+					$tmp_folder_root = rtrim($tmp_folder, DIRECTORY_SEPARATOR);
+					$delete_path = $tmp_folder_root . DIRECTORY_SEPARATOR . $safe_name;
+					$real_delete_path = realpath($delete_path);
+					if ($real_delete_path && str_starts_with($real_delete_path, $tmp_folder_root . DIRECTORY_SEPARATOR)) {
+						unlink($real_delete_path);
+					}
+				}
 				$output = Array();
 				$backup_file = Array();
 			}
@@ -191,7 +215,16 @@ if(isset($controller->splitted_url[1]) && $user->rankIsHigher("moderator")) {
 				$backup_file = Array();
 
 			if(isset($controller->splitted_url[2]) && $controller->splitted_url[2]=='delete' && isset($controller->splitted_url[3])) {
-					unlink($config['abs_root_folder'].'tmp/'.$controller->splitted_url[3]);
+				$tmp_folder = realpath($config['abs_root_folder'].'tmp');
+				if ($tmp_folder !== false) {
+					$safe_name = basename($controller->splitted_url[3]);
+					$tmp_folder_root = rtrim($tmp_folder, DIRECTORY_SEPARATOR);
+					$delete_path = $tmp_folder_root . DIRECTORY_SEPARATOR . $safe_name;
+					$real_delete_path = realpath($delete_path);
+					if ($real_delete_path && str_starts_with($real_delete_path, $tmp_folder_root . DIRECTORY_SEPARATOR)) {
+						unlink($real_delete_path);
+					}
+				}
 			}
 				else {
 					// Nom du fichier de sauvegarde

controllers/d.contact.php

@@ -11,8 +11,9 @@ if(isset($_POST['submit'])) {
 	$message .= "<hr>\r\n";
 	$message .= "<pre style='padding: 10px; background: #ccc;'>".strip_tags(post('message'))."</pre><br>\r\n";
 
-	$headers = 'From: '. post('email') . "\r\n" .
-	'Reply-To: '. post('email') . "\r\n" .
+	$sender = str_replace(["\r", "\n"], '', post('email'));
+	$headers = 'From: '. $sender . "\r\n" .
+	'Reply-To: '. $sender . "\r\n" .
 	'X-Mailer: PHP/' . phpversion() . "\r\n" .
 	'MIME-Version: 1.0' . "\r\n" .
 	'Content-type: text/html; charset=UTF-8' . "\r\n"; 

controllers/d.poi.php

@@ -93,8 +93,13 @@ switch ($controller->splitted_url[1]) {
 
 	case "elevation_proxy":
 		if (isset($_GET['location'])) {
+			if (!preg_match('/^[0-9,\.\|\-]+$/', $_GET['location'])) {
+				$notfound = 1;
+				break;
+			}
+			$location = urlencode($_GET['location']);
 			header("Content-Type: application/json;charset=utf-8");
-			echo(file_get_contents("https://api.opentopodata.org/v1/mapzen?locations=".$_GET['location']));
+			echo(file_get_contents("https://api.opentopodata.org/v1/mapzen?locations=".$location));
 			break;
 		} else {
 			$notfound = 1;

controllers/d.users.php

@@ -16,7 +16,17 @@ if(isset($controller->splitted_url[1])) {
 					if($user->login($_POST['login'], $_POST['password'])) {
 						// SUCESSFULL LOGIN
 						$_SESSION['userid'] = $user->id;
-						header('Location: '.$_SERVER['HTTP_REFERER']);
+						$redirect = $config['rel_root_folder'];
+						if (!empty($_SERVER['HTTP_REFERER'])) {
+							$referer = $_SERVER['HTTP_REFERER'];
+							$parts = parse_url($referer);
+							$host = $_SERVER['HTTP_HOST'] ?? '';
+							if ($parts !== false && ((empty($parts['host']) && empty($parts['scheme'])) || (!empty($host) && isset($parts['host']) && $parts['host'] === $host))) {
+								$redirect = $referer;
+							}
+						}
+						header('Location: '.$redirect);
+						exit;
 					}
 					else {
 						header('Location: '.$config['rel_root_folder'].'user/login?error=1');
@@ -29,7 +39,17 @@ if(isset($controller->splitted_url[1])) {
 			break;
 		case 'logout':
 			session_destroy();
-			header('Location: '.$_SERVER['HTTP_REFERER']);
+			$redirect = $config['rel_root_folder'];
+			if (!empty($_SERVER['HTTP_REFERER'])) {
+				$referer = $_SERVER['HTTP_REFERER'];
+				$parts = parse_url($referer);
+				$host = $_SERVER['HTTP_HOST'] ?? '';
+				if ($parts !== false && ((empty($parts['host']) && empty($parts['scheme'])) || (!empty($host) && isset($parts['host']) && $parts['host'] === $host))) {
+					$redirect = $referer;
+				}
+			}
+			header('Location: '.$redirect);
+			exit;
 			break;
 		case 'signin':
 			$head['js'] = "d.captcha.js";

models/d.users.php

@@ -408,7 +408,7 @@ function randomPassword() {
     $pass = array(); //remember to declare $pass as an array
     $alphaLength = strlen($alphabet) - 1; //put the length -1 in cache
     for ($i = 0; $i < 8; $i++) {
-        $n = rand(0, $alphaLength);
+        $n = random_int(0, $alphaLength);
         $pass[] = $alphabet[$n];
     }
     return implode($pass); //turn the array into a string