From d019f2548ddd3c04583a37b9ad70742bf37c8eb4 Mon Sep 17 00:00:00 2001 From: Tanmay Pardeshi Date: Sun, 26 May 2024 22:08:21 +0530 Subject: [PATCH] Added fix for zip bomb (#7407) --- interface/super/manage_document_templates.php | 28 +++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/interface/super/manage_document_templates.php b/interface/super/manage_document_templates.php index acd986b3056..7053b54de97 100644 --- a/interface/super/manage_document_templates.php +++ b/interface/super/manage_document_templates.php @@ -99,8 +99,32 @@ die(xlt('Cannot determine a destination filename')); } $path_parts = pathinfo($form_dest_filename); - if (!in_array(strtolower($path_parts['extension'] ?? ''), array('odt', 'txt', 'docx', 'zip'))) { - die(text(strtolower($path_parts['extension'] ?? '')) . ' ' . xlt('filetype is not accepted')); + $extension = strtolower($path_parts['extension'] ?? ''); + + if (!in_array($extension, array('odt', 'txt', 'docx', 'zip'))) { + die(text($extension) . ' ' . xlt('filetype is not accepted')); + } + + // Check if the uploaded file is a zip file + if ($extension === 'zip') { + $maxZipSize = 1048576; // 1 MB (adjust the size as needed) + if ($_FILES['form_file']['size'] > $maxZipSize) { + die(xlt('Zip file size exceeds the maximum allowed size')); + } + + // Check for nested zip files + $zip = new ZipArchive; + if ($zip->open($tmp_name) === true) { + for ($i = 0; $i < $zip->numFiles; $i++) { + $nestedFile = $zip->getNameIndex($i); + if (pathinfo($nestedFile, PATHINFO_EXTENSION) === 'zip') { + die(xlt('Nested zip files are not allowed')); + } + } + $zip->close(); + } else { + die(xlt('Failed to open the zip file')); + } } $templatepath = "$templatedir/$form_dest_filename";