Skip to content

Commit

Permalink
Merge pull request #619 from matthieu-rolland/add-security-fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
matthieu-rolland authored Nov 8, 2023
2 parents 8f2bd2d + 6327811 commit eec00da
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 9 deletions.
5 changes: 5 additions & 0 deletions blockreassurance.php
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@ class blockreassurance extends Module implements WidgetInterface
const POSITION_BELOW_HEADER = 1;
const POSITION_ABOVE_HEADER = 2;

const PSR_HOOK_HEADER = 'PSR_HOOK_HEADER';
const PSR_HOOK_FOOTER = 'PSR_HOOK_FOOTER';
const PSR_HOOK_PRODUCT = 'PSR_HOOK_PRODUCT';
const PSR_HOOK_CHECKOUT = 'PSR_HOOK_CHECKOUT';

/** @var string */
public $name;
/** @var string */
Expand Down
51 changes: 42 additions & 9 deletions controllers/admin/AdminBlockListingController.php
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ public function displayAjaxDeleteBlock()
$result = true;
// Remove Custom icon
if (!empty($blockPSR['custom_icon'])) {
$filePath = _PS_ROOT_DIR_ . $blockPSR['custom_icon'];
$filePath = _PS_ROOT_DIR_ . $this->module->img_path_perso . '/' . basename($blockPSR['custom_icon']);
if (file_exists($filePath)) {
$result = unlink($filePath);
}
Expand Down Expand Up @@ -100,12 +100,7 @@ public function displayAjaxSavePositionByHook()
$value = Tools::getValue('value');
$result = false;

if (!empty($hook) && in_array($value, [
blockreassurance::POSITION_NONE,
blockreassurance::POSITION_BELOW_HEADER,
blockreassurance::POSITION_ABOVE_HEADER,
])
) {
if ($this->isAuthorizedHookConfigurationKey($hook) && $this->isAuthorizedPositionValue($value)) {
$result = Configuration::updateValue($hook, $value);
}

Expand Down Expand Up @@ -148,6 +143,14 @@ public function displayAjaxSaveBlockContent()
$type_link = (int) Tools::getValue('typelink');
$id_cms = Tools::getValue('id_cms');
$psr_languages = (array) json_decode(Tools::getValue('lang_values'));
$authExtensions = ['gif', 'jpg', 'jpeg', 'jpe', 'png', 'svg'];
$authMimeType = ['image/gif', 'image/jpg', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png', 'image/svg', 'image/svg+xml'];

if (!empty($picto) && !in_array(pathinfo($picto, PATHINFO_EXTENSION), $authExtensions)) {
$errors[] = Context::getContext()->getTranslator()->trans('Image format not recognized, allowed formats are: .gif, .jpg, .png', [], 'Admin.Notifications.Error');

return $this->ajaxRenderJson(empty($errors) ? 'success' : 'error');
}

$blockPsr = new ReassuranceActivity($id_block);
if (!$id_block) {
Expand All @@ -173,8 +176,6 @@ public function displayAjaxSaveBlockContent()
$filename = $customImage['name'];

// validateUpload return false if no error (false -> OK)
$authExtensions = ['gif', 'jpg', 'jpeg', 'jpe', 'png', 'svg'];
$authMimeType = ['image/gif', 'image/jpg', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png', 'image/svg', 'image/svg+xml'];
if (version_compare(_PS_VERSION_, '1.7.7.0', '>=')) {
// PrestaShop 1.7.7.0+
$validUpload = ImageManager::validateUpload(
Expand Down Expand Up @@ -249,4 +250,36 @@ public function displayAjaxUpdatePosition()
// Response
$this->ajaxRenderJson($result ? 'success' : 'error');
}

/**
* @param string $hook
*
* @return bool
*/
private function isAuthorizedHookConfigurationKey($hook)
{
return
!empty($hook) &&
in_array($hook, [
blockreassurance::PSR_HOOK_HEADER,
blockreassurance::PSR_HOOK_FOOTER,
blockreassurance::PSR_HOOK_PRODUCT,
blockreassurance::PSR_HOOK_CHECKOUT,
], true)
;
}

/**
* @param string $value
*
* @return bool
*/
private function isAuthorizedPositionValue($value)
{
return in_array((int) $value, [
blockreassurance::POSITION_NONE,
blockreassurance::POSITION_BELOW_HEADER,
blockreassurance::POSITION_ABOVE_HEADER,
], true);
}
}

0 comments on commit eec00da

Please sign in to comment.