Commit 814cbaea authored by Robert Lyon's avatar Robert Lyon

Security bug 1770535: Files imported via Leap2A importer need virus check

If zipped up Leap2A files are uploaded containing files with viruses we need to
check them before finishing the importation.

Also we should check existing zipped files for viruses as well, eg:

1) Upload a zip file with virus
2) Turn on clamav
3) Try extracting the zip file

behatnotneeded

Change-Id: I7635deb5f69e6fdb60e89d11ddf9362bb7928994
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent fa71b35b
......@@ -61,29 +61,43 @@ if (!empty($folderid)) {
// Read the archive information, throw an ArchiveException if error
$zipinfo = $file->read_archive();
$message = $error = false;
if ($zipinfo) {
$quotaallowed = false;
if ($file->get('owner')) {
$quotaallowed = $USER->quota_allowed($zipinfo->totalsize);
$badzipfile = false;
if (get_config('viruschecking')) {
// Need to double-check the contents of zip file for viruses in case file
// was uploaded before virus check turned on.
require_once('uploadmanager.php');
$path = $file->get_path();
if ($errormsg = mahara_clam_scan_file($path)) {
$badzipfile = true;
$file->delete();
}
}
else if ($file->get('group')) {
$quotaallowed = group_quota_allowed($file->get('group'), $zipinfo->totalsize);
$quotaallowed = false;
if (!$badzipfile) {
if ($file->get('owner')) {
$quotaallowed = $USER->quota_allowed($zipinfo->totalsize);
}
else if ($file->get('group')) {
$quotaallowed = group_quota_allowed($file->get('group'), $zipinfo->totalsize);
}
else {
// no institution quotas yet
$quotaallowed = true;
}
}
else {
// no institution quotas yet
$quotaallowed = true;
$goto = files_page($file);
if ($parent = $file->get('parent')) {
$goto .= (strpos($goto, '?') === false ? '?' : '&') . 'folder=' . $parent;
}
$message = $quotaerror = false;
if ($quotaallowed) {
if ($quotaallowed && !$badzipfile) {
$name = $file->unzip_directory_name();
$message = get_string('fileswillbeextractedintofolder', 'artefact.file', $name['fullname']);
$goto = files_page($file);
if ($parent = $file->get('parent')) {
$goto .= (strpos($goto, '?') === false ? '?' : '&') . 'folder=' . $parent;
}
$form = pieform(array(
'name' => 'unzip_artefact',
'elements' => array(
......@@ -100,9 +114,13 @@ if ($zipinfo) {
),
));
}
else if ($badzipfile) {
$form = '<a class="btn btn-primary" href="' . $goto . '">' . get_string('back') . '</a>';
$error = get_string('viruszipfile', 'artefact.file');
}
else {
$form = '';
$quotaerror = '<div class="error alert alert-danger">' . get_string('insufficientquotaforunzip', 'artefact.file') . "</div>";
$form = '<a class="btn btn-primary" href="' . $goto . '">' . get_string('back') . '</a>';
$error = get_string('insufficientquotaforunzip', 'artefact.file');
}
}
......@@ -110,7 +128,7 @@ $smarty = smarty(array(), array(), array(), $smartyconfig);
$smarty->assign('file', $file);
$smarty->assign('zipinfo', $zipinfo);
$smarty->assign('message', $message);
$smarty->assign('quotaerror', $quotaerror);
$smarty->assign('error', $error);
$smarty->assign('form', $form);
$smarty->display('artefact:file:extract.tpl');
......
......@@ -372,3 +372,4 @@ $string['progress_video'] = array(
'Add %s videos',
);
$string['anytypeoffile'] = 'File (any type)';
$string['viruszipfile'] = 'Clam AV has found a file that is infected with a virus. The compressed file has been quarantined and removed from your account.';
......@@ -52,14 +52,8 @@ class PluginImportFile extends PluginImport {
continue;
}
if (get_config('viruschecking')) {
$pathtoclam = escapeshellcmd(trim(get_config('pathtoclam')));
if ($pathtoclam && file_exists($pathtoclam) && is_executable($pathtoclam)) {
if ($errormsg = mahara_clam_scan_file($uzd . $f)) {
throw new ImportException($this, $errormsg);
}
}
else {
clam_mail_admins(get_string('clamlost', 'mahara', $pathtoclam));
if ($errormsg = mahara_clam_scan_file($uzd . $f)) {
throw new ImportException($this, $errormsg);
}
}
$sha1 = sha1_file($uzd . $f);
......
......@@ -82,6 +82,14 @@ class PluginImportLeap extends PluginImport {
public static function validate_transported_data(ImporterTransport $transport) {
$importdata = $transport->files_info();
if (get_config('viruschecking')) {
// Need to check the contents of zip file for viruses in case file
require_once('uploadmanager.php');
$path = $importdata['importfile'];
if ($errormsg = mahara_clam_scan_file($path)) {
throw new ImportException($transport, $errormsg);
}
}
if (!$file = self::find_file($importdata)) {
throw new ImportException(null, 'Missing leap xml file');
}
......
......@@ -120,14 +120,8 @@ class upload_manager {
}
if (get_config('viruschecking')) {
$pathtoclam = escapeshellcmd(trim(get_config('pathtoclam')));
if ($pathtoclam && file_exists($pathtoclam) && is_executable($pathtoclam)) {
if ($errormsg = mahara_clam_scan_file($file, $this->inputindex)) {
return $errormsg;
}
}
else {
clam_mail_admins(get_string('clamlost', 'mahara', $pathtoclam));
if ($errormsg = mahara_clam_scan_file($file, $this->inputindex)) {
return $errormsg;
}
}
......
......@@ -6,7 +6,7 @@
<div class="row">
<div class="col-md-6">
<p class="detail">
<strong>{str tag=Files section=artefact.file}:</strong>
<strong>{str tag=Files section=artefact.file}:</strong>
{$zipinfo->files}
<br>
<strong>{str tag=Folders section=artefact.file}:</strong>
......@@ -15,12 +15,14 @@
<strong>{str tag=spacerequired section=artefact.file}:</strong>
{$zipinfo->displaysize}
</p>
{if $quotaerror}
{$quotaerror|safe}
{if $error}
<div class="error alert alert-danger">
{$error|safe}
</div>
{else}
<div class="alert alert-info">
<div class="alert alert-info">
{$message}
</div>
</div>
{/if}
{$form|safe}
</div>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment