admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FSN#24372 Bijlagen met 'Foute' extensies via whitelist ipv. blacklist

Browse Source 
svn path=/Website/trunk/; revision=18562
This commit is contained in:
Jos Groot Lipman
2013-07-31 07:31:25 +00:00
parent d4fbd432d3
commit 0304d75771
1 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
UTILS/mail_receive/EventHandlers.js
View File

@@ -1,9 +1,7 @@
// Hieronder worden XXXX/XXXX/UDL's gezocht // Hieronder worden XXXX/XXXX/UDL's gezocht
var facilPath = 'c:/Websites/Facilitor/csu_prep/cust/'; var facilPath = 'd:/apps/Facilitor/FPlace5i/cust/';
var cust = 'XXXX'; var cust = 'XXXX';
flexForbiddenExt = ".*\\.(asp|aspx|inc|bat|exe|com|scr|dll|hta|js|vbs|wsh|lnk|udl)$"; // Regexp forbidden extensions
safe = { // extracted from shared.inc safe = { // extracted from shared.inc
quoted_sql: function (tekst, maxlen) // maxlen is optioneel quoted_sql: function (tekst, maxlen) // maxlen is optioneel
{ {
@@ -13,11 +11,11 @@ safe = { // extracted from shared.inc
maxlen = 4000; maxlen = 4000;
tekst = tekst.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F]+/g, "?"); tekst = tekst.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F]+/g, "?");
tekst = tekst.substr(0, maxlen); tekst = tekst.substr(0, maxlen);
return "'" + tekst.replace(/\'/g,"''") + "'"; return "'" + tekst.replace(/\'/g,"''") + "'"; // " syntax highlight correctie
}, },
filename: function (naam) // geen 'lage' karakters een geen (back)slashes, *,%,<,> filename: function (naam) // geen 'lage' karakters en geen (back)slashes, *,%,<,>
{ {
return naam.replace(/[\x00-\x1F|\/|\\|\*|\%\<\>]+/g, "_"); return naam.replace(/[\x00-\x1F|\/|\\|\*|\%\<\>\"\:\?\|]+/g, "_"); // " syntax highlight correctie
} }
} }
@@ -35,7 +33,6 @@ function stripHtml(html)
return html; return html;
} }
function CreateFullPath(sPath) function CreateFullPath(sPath)
{ {
var fso = new ActiveXObject("Scripting.FileSystemObject"); var fso = new ActiveXObject("Scripting.FileSystemObject");
@@ -180,17 +177,30 @@ function OnAcceptMessage(oClient, oMessage)
} }
oRs1.Close(); oRs1.Close();
EventLog.write(oMessage.Attachments.Count+' bijlage(s) naar ' + path); // Veilige extensies
sql = "SELECT COALESCE(fac_setting_pvalue, fac_setting_default)"
+ " FROM fac_setting"
+ " WHERE fac_setting_name = 'flexallowedext'";
var oRs1 = Oracle.Execute(sql);
var flexAllowedExt = oRs1("fac_result_waarde").Value;
oRs1.Close();
CreateFullPath(path); CreateFullPath(path);
for (i=0; i < oMessage.Attachments.Count; i++) for (i=0; i < oMessage.Attachments.Count; i++)
{ {
filenm = "" + safe.filename(oMessage.Attachments.Item(i).fileName); filenm = "" + safe.filename(oMessage.Attachments.Item(i).fileName);
if (filenm.match(flexForbiddenExt)) if (filenm == 'tmpl_logo.gif')
{ // Waarschijnlijk een FACILITOR bon gereply'd
EventLog.write("Bijlage " + filenm + " genegeerd.");
}
else if (!new RegExp(flexAllowedExt, "ig").test(filenm))
{ {
// TODO: Misschien ook terugkoppelen aan zender?
EventLog.write("Onveilig bestand: " + filenm + " is niet opgeslagen."); EventLog.write("Onveilig bestand: " + filenm + " is niet opgeslagen.");
} }
else else
{ {
EventLog.write(filenm + ' bijlage (' + oMessage.Attachments.Item(i).Size + ' bytes) naar ' + path);
filePath = path + filenm; filePath = path + filenm;
oMessage.Attachments.Item(i).SaveAs(filePath); oMessage.Attachments.Item(i).SaveAs(filePath);
} }