From f73f34e77502adc3d94166b72dba24ed0d9e7563 Mon Sep 17 00:00:00 2001 From: Stefan Brand Date: Fri, 18 Feb 2022 10:08:22 +0100 Subject: [PATCH] Implemented Basic Input Validation --- index.php | 37 +++++++++++++++++++++++++++++-------- lib/helpers.class.php | 20 ++++++++++++++++++++ tpl/error.html | 12 ++++++++++++ 3 files changed, 61 insertions(+), 8 deletions(-) create mode 100644 tpl/error.html diff --git a/index.php b/index.php index ad881bb..fb5073a 100644 --- a/index.php +++ b/index.php @@ -26,7 +26,19 @@ $gslice = $_GET['gs'] ?? $conf['defslice']; $dir = $_GET['d'] ?? $conf['defdir']; $sort = $_GET['so'] ?? 1; +// Input Validation and Sanitazion +$page = Helpers::validate_int($page, 1, PHP_INT_MAX) ? $page : $conf['defpage']; +$slice = Helpers::validate_int($slice, 1, 100) ? $slice : $conf['defslice']; +$gslice = Helpers::validate_int($gslice, 1, 100) ? $gslice : $conf['defslice']; +$sort = Helpers::validate_int($sort, 0, 1) ? $sort : $conf['defslice']; + +// Set Some Variables +$host = isset($_SERVER['HTTP_X_FORWARDED_HOST']) ? $_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER['HTTP_HOST']; +$proto = isset($_SERVER['HTTP_X_FORWARDED_PROTO']) ? $_SERVER['HTTP_X_FORWARDED_PROTO'] : $_SERVER['REQUEST_SCHEME']; +$secure = ($proto == 'https'); + // Create or Load Session +session_set_cookie_params([ 'lifetime' => 3600, 'path' => '/', 'domain' => $host, 'secure' => $secure, 'httponly' => true, 'samesite' => 'lax' ]); session_start(); // Initialize Thumbnail Handler @@ -46,7 +58,9 @@ if (isset($_SESSION[$cdir]) } else { $r_imagedir = realpath($imagedir.$dir); if ($r_imagedir === false || strpos(Helpers::end_dir($r_imagedir), $r_basedir.DIRECTORY_SEPARATOR) !== 0) { - print "Path Traversal Detected!"; + $data['script'] = $_SERVER['PHP_SELF']; + $data['errormsg'] = 'A Path Traversal was Detected'; + Template::view('tpl/error.html', $data); exit(); } $tmpdirs = glob(Helpers::end_dir($imagedir.$dir).'*' , GLOB_ONLYDIR); @@ -69,13 +83,20 @@ if (isset($_SESSION[$cdir]) $filter=''; if (isset($_GET['f'])) { if ($_GET['f'] != '') { - $tr = array('(' => '\(', ')' => '\)'); - $f = strtr($_GET['f'], $tr); - if (!empty($files)) - $files = array_values(preg_grep('/.*'.$f.'.*/i', $files)); - if (!empty($dirs)) - $dirs = array_values(preg_grep('/.*'.$f.'.*/i', $dirs)); - $filter='&f='.$_GET['f']; + if (Helpers::validate_search($_GET['f'])) { + $tr = array('(' => '\(', ')' => '\)'); + $f = strtr($_GET['f'], $tr); + if (!empty($files)) + $files = array_values(preg_grep('/.*'.$f.'.*/i', $files)); + if (!empty($dirs)) + $dirs = array_values(preg_grep('/.*'.$f.'.*/i', $dirs)); + $filter='&f='.$_GET['f']; + } else { + $data['script'] = $_SERVER['PHP_SELF']; + $data['errormsg'] = 'An Invalid Search String was detected'; + Template::view('tpl/error.html', $data); + exit(); + } } } diff --git a/lib/helpers.class.php b/lib/helpers.class.php index 4219cda..796d1c8 100644 --- a/lib/helpers.class.php +++ b/lib/helpers.class.php @@ -11,6 +11,26 @@ class Helpers { } } + // Check if a Variable is an Integer and in the defined Range + public static function validate_int($int, $min, $max) { + if (is_string($int) && !ctype_digit($int)) { + return false; // contains non digit characters + } + if (!is_int((int) $int)) { + return false; // other non-integer value or exceeds PHP_MAX_INT + } + return ($int >= $min && $int <= $max); + } + + // Check Search String for Valid Characters + public static function validate_search($search) { + if (!preg_match("#^[a-zA-Z0-9äöüÄÖÜ _\-\.\*\?]+$#", $search)) { + return false; + } else { + return true; + } + } + } ?> \ No newline at end of file diff --git a/tpl/error.html b/tpl/error.html new file mode 100644 index 0000000..f6952b0 --- /dev/null +++ b/tpl/error.html @@ -0,0 +1,12 @@ +{% extends tpl/layout.html %} + +{% block title %}An Error Occured{% endblock %} + +{% block content %} + +
+

{{ $errormsg }}

+

Return to Homepage

+
+ +{% endblock %} \ No newline at end of file