From 84827513e89b01b0622f55901a2e05d75695b6b5 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Tue, 4 Feb 2014 18:02:50 -0600
Subject: [PATCH] oops: Fix download of attachments from FAQ and Canned
---
include/class.attachment.php | 1 -
include/class.faq.php | 2 +-
include/class.file.php | 3 ++-
include/staff/cannedresponse.inc.php | 2 +-
include/staff/faq.inc.php | 2 +-
scp/file.php | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/include/class.attachment.php b/include/class.attachment.php
index 10159f5e8..c605b7ca0 100644
--- a/include/class.attachment.php
+++ b/include/class.attachment.php
@@ -171,7 +171,6 @@ class GenericAttachments {
$attachments = array();
foreach ($this->attachments as $a) {
if ($a['inline'] != $separate || $a['inline'] == $inlines) {
- $a['key'] = md5($a['id'].session_id().$a['key']);
$a['file_id'] = $a['id'];
$attachments[] = $a;
}
diff --git a/include/class.faq.php b/include/class.faq.php
index d009d58c3..09d5b2dcb 100644
--- a/include/class.faq.php
+++ b/include/class.faq.php
@@ -195,7 +195,7 @@ class FAQ {
if(($attachments=$this->attachments->getSeparates())) {
foreach($attachments as $attachment ) {
/* The h key must match validation in file.php */
- $hash=$attachment['hash'].md5($attachment['id'].session_id().$attachment['hash']);
+ $hash=$attachment['key'].md5($attachment['id'].session_id().strtolower($attachment['key']));
if($attachment['size'])
$size=sprintf(' <small>(<i>%s</i>)</small>',Format::file_size($attachment['size']));
diff --git a/include/class.file.php b/include/class.file.php
index a2944c9db..902eaf2ea 100644
--- a/include/class.file.php
+++ b/include/class.file.php
@@ -112,7 +112,8 @@ class AttachmentFile {
* download this file
*/
function getDownloadHash() {
- return strtolower($this->getKey() . md5($this->getId().session_id().$this->getKey()));
+ return strtolower($this->getKey()
+ . md5($this->getId().session_id().strtolower($this->getKey())));
}
function open() {
diff --git a/include/staff/cannedresponse.inc.php b/include/staff/cannedresponse.inc.php
index d82baad74..a14beb43a 100644
--- a/include/staff/cannedresponse.inc.php
+++ b/include/staff/cannedresponse.inc.php
@@ -87,7 +87,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
if($canned && ($files=$canned->attachments->getSeparates())) {
echo '<div id="canned_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
foreach($files as $file) {
- $hash=$file['hash'].md5($file['id'].session_id().$file['hash']);
+ $hash=$file['key'].md5($file['id'].session_id().strtolower($file['key']));
echo sprintf('<label><input type="checkbox" name="files[]" id="f%d" value="%d" checked="checked">
<a href="file.php?h=%s">%s</a> </label> ',
$file['id'], $file['id'], $hash, $file['name']);
diff --git a/include/staff/faq.inc.php b/include/staff/faq.inc.php
index 8b390c3de..8f412bdb6 100644
--- a/include/staff/faq.inc.php
+++ b/include/staff/faq.inc.php
@@ -101,7 +101,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
if($faq && ($files=$faq->attachments->getSeparates())) {
echo '<div class="faq_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
foreach($files as $file) {
- $hash=$file['hash'].md5($file['id'].session_id().$file['hash']);
+ $hash=$file['key'].md5($file['id'].session_id().strtolower($file['key']));
echo sprintf('<label><input type="checkbox" name="files[]" id="f%d" value="%d" checked="checked">
<a href="file.php?h=%s">%s</a> </label> ',
$file['id'], $file['id'], $hash, $file['name']);
diff --git a/scp/file.php b/scp/file.php
index 4ccc3b828..9d6518d0a 100644
--- a/scp/file.php
+++ b/scp/file.php
@@ -23,7 +23,7 @@ $h=trim($_GET['h']);
//basic checks
if(!$h || strlen($h)!=64 //32*2
|| !($file=AttachmentFile::lookup(substr($h,0,32))) //first 32 is the file hash.
- || strcasecmp(substr($h,-32),md5($file->getId().session_id().strtolower($file->getKey())))) //next 32 is file id + session hash.
+ || $file->getDownloadHash() != $h) //next 32 is file id + session hash.
die('Unknown or invalid file. #'.Format::htmlchars($_GET['h']));
$file->download();
--
GitLab