Page MenuHomeSoftware Heritage
Files F9749414

No OneTemporary
Actions

View Options

diff --git a/src/www/ui/page/UploadPageBase.php b/src/www/ui/page/UploadPageBase.php
index 7fb9e181..d8fbdd8b 100644
--- a/src/www/ui/page/UploadPageBase.php
+++ b/src/www/ui/page/UploadPageBase.php
@@ -1,261 +1,271 @@
<?php
/***********************************************************
* Copyright (C) 2015 Siemens AG
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* version 2 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
***********************************************************/
namespace Fossology\UI\Page;
use Fossology\Lib\Auth\Auth;
use Fossology\Lib\Dao\FolderDao;
use Fossology\Lib\Dao\UploadDao;
use Fossology\Lib\Plugin\AgentPlugin;
use Fossology\Lib\Plugin\DefaultPlugin;
use Fossology\Lib\UI\MenuHook;
use Monolog\Logger;
use Symfony\Component\HttpFoundation\Request;
abstract class UploadPageBase extends DefaultPlugin
{
const NAME = "upload_file";
const FOLDER_PARAMETER_NAME = 'folder';
const DESCRIPTION_INPUT_NAME = 'descriptionInputName';
const DESCRIPTION_VALUE = 'descriptionValue';
const UPLOAD_FORM_BUILD_PARAMETER_NAME = 'uploadformbuild';
const PUBLIC_ALL = 'public';
const PUBLIC_GROUPS = 'protected';
/** @var FolderDao */
private $folderDao;
/** @var UploadDao */
private $uploadDao;
/** @var Logger */
private $logger;
public function __construct($name, $parameters = array())
{
parent::__construct($name, $parameters);
$this->folderDao = $this->getObject('dao.folder');
$this->uploadDao = $this->getObject('dao.upload');
$this->logger = $this->getObject('logger');
}
abstract protected function handleUpload(Request $request);
abstract protected function handleView(Request $request, $vars);
protected function handle(Request $request)
{
// Handle request
$this->folderDao->ensureTopLevelFolder();
$message = "";
$description = "";
if ($request->isMethod(Request::METHOD_POST))
{
list($success, $message, $description) = $this->handleUpload($request);
}
$vars['message'] = $message;
$vars['descriptionInputValue'] = $description ?: "";
$vars['descriptionInputName'] = self::DESCRIPTION_INPUT_NAME;
$vars['folderParameterName'] = self::FOLDER_PARAMETER_NAME;
$vars['upload_max_filesize'] = ini_get('upload_max_filesize');
$vars['agentCheckBoxMake'] = '';
$rootFolder = $this->folderDao->getRootFolder(Auth::getUserId());
$folderStructure = $this->folderDao->getFolderStructure($rootFolder->getId());
$vars['folderStructure'] = $folderStructure;
$vars['baseUrl'] = $request->getBaseUrl();
$vars['moduleName'] = $this->getName();
$vars[self::FOLDER_PARAMETER_NAME] = $request->get(self::FOLDER_PARAMETER_NAME);
$parmAgentList = MenuHook::getAgentPluginNames("ParmAgents");
$vars['parmAgentContents'] = array();
$vars['parmAgentFoots'] = array();
foreach($parmAgentList as $parmAgent) {
$agent = plugin_find($parmAgent);
$vars['parmAgentContents'][] = $agent->renderContent($vars);
$vars['parmAgentFoots'][] = $agent->renderFoot($vars);
}
$session = $request->getSession();
$session->set(self::UPLOAD_FORM_BUILD_PARAMETER_NAME, time().':'.$_SERVER['REMOTE_ADDR']);
$vars['uploadFormBuild'] = $session->get(self::UPLOAD_FORM_BUILD_PARAMETER_NAME);
$vars['uploadFormBuildParameterName'] = self::UPLOAD_FORM_BUILD_PARAMETER_NAME;
if (@$_SESSION[Auth::USER_LEVEL] >= PLUGIN_DB_WRITE)
{
$skip = array("agent_unpack", "agent_adj2nest", "wget_agent");
$vars['agentCheckBoxMake'] = AgentCheckBoxMake(-1, $skip);
}
return $this->handleView($request, $vars);
}
protected function postUploadAddJobs(Request $request, $fileName, $uploadId, $jobId = null, $wgetDependency = false)
{
$userId = Auth::getUserId();
$groupId = Auth::getGroupId();
if ($jobId === null) {
$jobId = JobAddJob($userId, $groupId, $fileName, $uploadId);
}
$dummy = "";
$adj2nestDependencies = array();
if ($wgetDependency)
{
$adj2nestDependencies = array(array('name'=>'agent_unpack',AgentPlugin::PRE_JOB_QUEUE=>array('wget_agent')));
}
$adj2nestplugin = \plugin_find('agent_adj2nest');
$adj2nestplugin->AgentAdd($jobId, $uploadId, $dummy, $adj2nestDependencies);
$checkedAgents = checkedAgents();
AgentSchedule($jobId, $uploadId, $checkedAgents);
$errorMsg = '';
$parmAgentList = MenuHook::getAgentPluginNames("ParmAgents");
$plainAgentList = MenuHook::getAgentPluginNames("Agents");
$agentList = array_merge($plainAgentList, $parmAgentList);
foreach($parmAgentList as $parmAgent) {
$agent = plugin_find($parmAgent);
$agent->scheduleAgent($jobId, $uploadId, $errorMsg, $request, $agentList);
}
$status = GetRunnableJobList();
$message = empty($status) ? _("Is the scheduler running? ") : "";
$jobUrl = Traceback_uri() . "?mod=showjobs&upload=$uploadId";
$message .= _("The file") . " " . $fileName . " " . _("has been uploaded. It is") . ' <a href=' . $jobUrl . '>upload #' . $uploadId . "</a>.\n";
if ($request->get('public')==self::PUBLIC_GROUPS)
{
$this->getObject('dao.upload.permission')->makeAccessibleToAllGroupsOf($uploadId, $userId);
}
return $message;
}
/**
* \brief checks, whether a string contains some special character without
* escaping
*
* \param $str - the string to check
* \param $char - the character to search for
- *
+
* \return boolean
*/
function str_contains_notescaped_char($str, $char)
{
$pos = 0;
while ($pos < strlen($str) &&
($pos = strpos($str,$char,$pos)) !== FALSE)
{
foreach(range(($pos++) -1, 1, -2) as $tpos)
{
if ($tpos > 0 && $str[$tpos] !== '\\')
+ {
break;
+ }
if ($tpos > 1 && $str[$tpos - 1] !== '\\')
+ {
continue 2;
+ }
}
return TRUE;
}
return FALSE;
}
/**
* \brief checks, whether a path is a pattern from the perspective of a shell
*
* \param $path - the path to check
*
* \return boolean
*/
function path_is_pattern($path)
{
return $this->str_contains_notescaped_char($path, '*')
|| $this->str_contains_notescaped_char($path, '?')
|| $this->str_contains_notescaped_char($path, '[')
|| $this->str_contains_notescaped_char($path, '{');
}
/**
* \brief checks, whether a path contains substrings, which could enable it to
* escape his prefix
*
* \param $path - the path to check
*
* \return boolean
*/
protected function path_can_escape($path)
{
return $this->str_contains_notescaped_char($path, '$')
|| strpos($path,'..')!==FALSE;
}
/**
* \brief normalizes an path and returns FALSE on errors
*
* \param $path - the path to normalize
* \param $appendix - optional parameter, which is used for the recursive call
*
* \return normalized path on success
* FALSE on error
*
*/
function normalize_path($path, $host="localhost", $appendix="")
{
if(strpos($path,'/')===FALSE || $path === '/')
+ {
return FALSE;
+ }
if($this->path_is_pattern($path))
{
$bpath = basename($path);
if ($this->path_can_escape($bpath))
+ {
return FALSE;
+ }
if(strcmp($host,"localhost") === 0)
{
return $this->normalize_path(dirname($path),
$host,
$bpath . ($appendix == '' ?
'' :
'/' . $appendix));
}
else
{
if($this->path_can_escape($path))
+ {
return FALSE;
+ }
return $path . ($appendix == '' ?
'' :
'/' . $appendix);
}
}
else
{
$rpath = realpath($path);
if ($rpath === FALSE)
+ {
return FALSE;
- // if (!@fopen($rpath, 'r'))
- // return FALSE;
+ }
return $rpath . ($appendix == '' ?
'' :
'/' . $appendix);
}
}
function basicShEscaping($str)
{
$str = str_replace('\\', '\\\\', $str);
$str = str_replace('"', '\"', $str);
$str = str_replace('`', '\`', $str);
$str = str_replace('$', '\$', $str);
return $str;
}
}
\ No newline at end of file
diff --git a/src/www/ui/page/UploadSrvPage.php b/src/www/ui/page/UploadSrvPage.php
index 4ed80a31..3b632b28 100644
--- a/src/www/ui/page/UploadSrvPage.php
+++ b/src/www/ui/page/UploadSrvPage.php
@@ -1,271 +1,283 @@
<?php
/***********************************************************
Copyright (C) 2008-2014 Hewlett-Packard Development Company, L.P.
Copyright (C) 2015 Siemens AG
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
version 2 as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
***********************************************************/
namespace Fossology\UI\Page;
use Fossology\UI\Page\UploadPageBase;
use Fossology\Lib\Auth\Auth;
use Symfony\Component\HttpFoundation\Request;
class UploadSrvPage extends UploadPageBase
{
const NAME = 'upload_srv_files';
const SOURCE_FILES_FIELD = 'sourceFiles';
public function __construct()
{
parent::__construct(self::NAME, array(
self::TITLE => _("Upload from Server"),
self::MENU_LIST => "Upload::From Server",
self::DEPENDENCIES => array("agent_unpack", "showjobs"),
self::PERMISSION => Auth::PERM_WRITE
));
}
function check_if_host_is_allowed($host)
{
global $SysConf;
$sysConfig = $SysConf['SYSCONFIG'];
if(array_key_exists('UploadFromServerAllowedHosts',$sysConfig)){
$hostListPre = $sysConfig['UploadFromServerAllowedHosts'];
$hostList = explode(':',$hostListPre);
}
else
{
$hostList = ["localhost"];
}
return in_array($host,$hostList);
}
/**
* \brief checks, whether a normalized path starts with an path in the
* whiteliste
*
* \param $path - the path to check
*
* \return boolean
*
*/
function check_by_whitelist($path)
{
global $SysConf;
$sysConfig = $SysConf['SYSCONFIG'];
if(array_key_exists('UploadFromServerWhitelist',$sysConfig)){
$whitelistPre = $sysConfig['UploadFromServerWhitelist'];
$whitelist = explode(':',$whitelistPre);
}
else
{
$whitelist = ["/tmp"];
}
foreach ($whitelist as $item)
+ {
if (substr($path,0,strlen($item)) === trim($item))
+ {
return TRUE;
+ }
+ }
return FALSE;
}
/**
* \brief chck if one file/dir has one permission
*
* \param $path - file path
* \param $server - host name
* \param $permission - permission x/r/w
*
* \return 1: yes; 0: no
*/
function remote_file_permission($path, $server = 'localhost', $persmission = 'r')
{
/** local file */
if ($server === 'localhost' || empty($server))
{
$temp_path = str_replace('\ ', ' ', $path); // replace '\ ' with ' '
return @fopen($temp_path, $persmission);
- } else return 1; // don't do the file permission check if the file is not on the web server
+ }
+ else
+ {
+ return 1; // don't do the file permission check if the file is not on the web server
+ }
}
/**
* \brief chck if one file/dir exist or not
*
* \param $path - file path
* \param $server - host name
*
* \return 1: exist; 0: not
*/
function remote_file_exists($path, $server = 'localhost')
{
/** local file */
if ($server === 'localhost' || empty($server))
{
$temp_path = str_replace('\ ', ' ', $path); // replace '\ ' with ' '
return file_exists($temp_path);
- } else return 1; // don't do the file exist check if the file is not on the web server
+ }
+ else
+ {
+ return 1; // don't do the file exist check if the file is not on the web server
+ }
}
/**
* @param Request $request
* @return Response
*/
protected function handleView(Request $request, $vars)
{
$vars['sourceFilesField'] = self::SOURCE_FILES_FIELD;
$vars['hostlist'] = HostListOption();
return $this->render("upload_srv.html.twig", $this->mergeWithDefault($vars));
}
/**
* @brief Process the upload request.
*/
protected function handleUpload(Request $request)
{
global $Plugins;
define("UPLOAD_ERR_INVALID_FOLDER_PK", 100);
define("UPLOAD_ERR_RESEND", 200);
$uploadErrors = array(
UPLOAD_ERR_INVALID_FOLDER_PK => _("Invalid Folder."),
UPLOAD_ERR_RESEND => _("This seems to be a resent file.")
);
$folderId = intval($request->get(self::FOLDER_PARAMETER_NAME));
$description = stripslashes($request->get(self::DESCRIPTION_INPUT_NAME));
$description = $this->basicShEscaping($description);
if ($request->getSession()->get(self::UPLOAD_FORM_BUILD_PARAMETER_NAME)
!= $request->get(self::UPLOAD_FORM_BUILD_PARAMETER_NAME))
{
return array(false, $uploadErrors[UPLOAD_ERR_RESEND], $description);
}
if (empty($folderId)) {
return array(false, $uploadErrors[UPLOAD_ERR_INVALID_FOLDER_PK], $description);
}
$public = $request->get('public');
$publicPermission = ($public == self::PUBLIC_ALL) ? Auth::PERM_READ : Auth::PERM_NONE;
$sourceFiles = trim($request->get(self::SOURCE_FILES_FIELD));
$sourceFiles = $this->basicShEscaping($sourceFiles);
$host = $request->get('host') ?: "localhost";
if(preg_match('/[^a-z.0-9]/i', $host))
{
$text = _("The given host is not valid.");
return array(false, $text, $description);
}
if(! $this->check_if_host_is_allowed($host))
{
$text = _("You are not allowed to upload from the chosen host.");
return array(false, $text, $description);
}
$shortName = basename($sourceFiles);
if (empty($shortName))
{
$shortName = $sourceFiles;
}
if(strcmp($host,"localhost"))
{
$shortName = $host . ':' . $shortName;
}
$sourceFiles = $this->normalize_path($sourceFiles,$host);
$sourceFiles = str_replace('|', '\|', $sourceFiles);
$sourceFiles = str_replace(' ', '\ ', $sourceFiles);
$sourceFiles = str_replace("\t", "\\t", $sourceFiles);
if ($sourceFiles == FALSE)
{
$text = _("failed to normalize/validate given path");
return array(false, $text, $description);
}
if ($this->check_by_whitelist($sourceFiles) === FALSE)
{
$text = _("no suitable prefix found in the whitelist") . ", " . _("you are not allowed to upload this file");
return array(false, $text, $description);
}
if (!$this->path_is_pattern($sourceFiles) && !$this->remote_file_exists($sourceFiles, $host)) {
$text = _("'$sourceFiles' does not exist.\n");
return array(false, $text, $description);
}
if (!$this->path_is_pattern($sourceFiles) && !$this->remote_file_permission($sourceFiles, $host, "r")) {
$text = _("Have no READ permission on '$sourceFiles'.\n");
return array(false, $text, $description);
}
/* Create an upload record. */
$uploadMode = (1 << 3); // code for "it came from web upload"
$userId = Auth::getUserId();
$groupId = Auth::getGroupId();
$uploadId = JobAddUpload($userId, $groupId, $shortName, $sourceFiles, $description, $uploadMode, $folderId, $publicPermission);
if (empty($uploadId))
{
$text = _("Failed to insert upload record");
return array(false, $text, $description);
}
/* Prepare the job: job "wget" */
$jobpk = JobAddJob($userId, $groupId, "wget", $uploadId);
if (empty($jobpk) || ($jobpk < 0))
{
$text = _("Failed to insert upload record");
return array(false, $text, $description);
}
$jq_args = "$uploadId - $sourceFiles";
$jobqueuepk = JobQueueAdd($jobpk, "wget_agent", $jq_args, "no", NULL, $host);
if (empty($jobqueuepk)) {
$text = _("Failed to insert task 'wget' into job queue");
return array(false, $text, $description);
}
$ErrorMsg = "";
/* schedule agents */
$unpackplugin = &$Plugins[plugin_find_id("agent_unpack")];
$ununpack_jq_pk = $unpackplugin->AgentAdd($jobpk, $uploadId, $ErrorMsg, array("wget_agent"));
if ($ununpack_jq_pk < 0)
{
return array(false, $text, _($ErrorMsg));
}
$adj2nestplugin = &$Plugins[plugin_find_id("agent_adj2nest")];
$adj2nest_jq_pk = $adj2nestplugin->AgentAdd($jobpk, $uploadId, $ErrorMsg, array());
if ($adj2nest_jq_pk < 0)
{
return array(false, $text, _($ErrorMsg));
}
AgentCheckBoxDo($jobpk, $uploadId);
$message = "";
/** check if the scheudler is running */
$status = GetRunnableJobList();
if (empty($status))
{
$message .= _("Is the scheduler running? ");
}
$Url = Traceback_uri() . "?mod=showjobs&upload=$uploadId";
$message .= "The file $sourceFiles has been uploaded. ";
$keep = "It is <a href='$Url'>upload #" . $uploadId . "</a>.\n";
return array(true, $message.$keep, $description);
}
}
register_plugin(new UploadSrvPage());
\ No newline at end of file

File Metadata

Mime Type
text/x-diff
Expires
Mon, Aug 25, 5:07 PM (1 w, 5 d ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3256343

Event Timeline

About · Developer information · Legal