Added fix for zip bomb (openemr#7407)

DiscoverAndChange · May 26, 2024 · d019f25 · d019f25
1 parent 57973a2
commit d019f25
Showing 1 changed file with 26 additions and 2 deletions.
diff --git a/interface/super/manage_document_templates.php b/interface/super/manage_document_templates.php
@@ -99,8 +99,32 @@
  die(xlt('Cannot determine a destination filename'));
  }
  $path_parts = pathinfo($form_dest_filename);
- if (!in_array(strtolower($path_parts['extension'] ?? ''), array('odt', 'txt', 'docx', 'zip'))) {
- die(text(strtolower($path_parts['extension'] ?? '')) . ' ' . xlt('filetype is not accepted'));
+ $extension = strtolower($path_parts['extension'] ?? '');
+
+ if (!in_array($extension, array('odt', 'txt', 'docx', 'zip'))) {
+ die(text($extension) . ' ' . xlt('filetype is not accepted'));
+ }
+
+ // Check if the uploaded file is a zip file
+ if ($extension === 'zip') {
+ $maxZipSize = 1048576; // 1 MB (adjust the size as needed)
+ if ($_FILES['form_file']['size'] > $maxZipSize) {
+ die(xlt('Zip file size exceeds the maximum allowed size'));
+ }
+
+ // Check for nested zip files
+ $zip = new ZipArchive;
+ if ($zip->open($tmp_name) === true) {
+ for ($i = 0; $i < $zip->numFiles; $i++) {
+ $nestedFile = $zip->getNameIndex($i);
+ if (pathinfo($nestedFile, PATHINFO_EXTENSION) === 'zip') {
+ die(xlt('Nested zip files are not allowed'));
+ }
+ }
+ $zip->close();
+ } else {
+ die(xlt('Failed to open the zip file'));
+ }
  }
 
  $templatepath = "$templatedir/$form_dest_filename";