From b5d71a473d51f9b9837eee62c532677257f432c1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 14 Feb 2026 13:21:09 +0000 Subject: [PATCH] Add realpath validation and accessibility improvements Co-authored-by: naielv <109038805+naielv@users.noreply.github.com> --- public_html/entreaulas/_filefetch.php | 19 ++++++++++++++----- public_html/entreaulas/paneldiario.php | 17 +++++++++++------ 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/public_html/entreaulas/_filefetch.php b/public_html/entreaulas/_filefetch.php index c2e012d..39f2cb0 100755 --- a/public_html/entreaulas/_filefetch.php +++ b/public_html/entreaulas/_filefetch.php @@ -80,20 +80,29 @@ if (!isset($path)) { if (!isset($uripath)) { $uripath = "/$relpath"; } -if (!file_exists($path) || !is_file($path)) { + +// Validate that the resolved path is within /DATA directory +$real_path = realpath($path); +$real_base = realpath("/DATA"); +if ($real_path === false || $real_base === false || strpos($real_path, $real_base) !== 0) { + header("HTTP/1.1 403 Forbidden"); + die("Access denied"); +} + +if (!file_exists($real_path) || !is_file($real_path)) { header("HTTP/1.1 404 Not Found"); die("File not found"); } -$mime = mime_content_type($path); +$mime = mime_content_type($real_path); // Check if thumbnail is requested -if (file_exists($path . ".thumbnail") && $_GET["thumbnail"] == "1") { - $path .= ".thumbnail"; +if (file_exists($real_path . ".thumbnail") && $_GET["thumbnail"] == "1") { + $real_path .= ".thumbnail"; $uripath .= ".thumbnail"; $mime = "image/jpeg"; } header("Content-Type: " . $mime); -header('Content-Length: ' . filesize($path)); +header('Content-Length: ' . filesize($real_path)); //header('Cache-Control: max-age=7200'); header("X-Accel-Redirect: $uripath"); diff --git a/public_html/entreaulas/paneldiario.php b/public_html/entreaulas/paneldiario.php index e548c18..e6bb767 100755 --- a/public_html/entreaulas/paneldiario.php +++ b/public_html/entreaulas/paneldiario.php @@ -161,11 +161,16 @@ switch ($_GET["action"]) { break; } - $alumnos_path = "/DATA/entreaulas/Centros/$centro_id/Aularios/$aulario_id/Alumnos"; - $alumnos = []; + $base_path = "/DATA/entreaulas/Centros"; + $alumnos_path = "$base_path/$centro_id/Aularios/$aulario_id/Alumnos"; - if (is_dir($alumnos_path)) { - $alumnos = glob($alumnos_path . "/*", GLOB_ONLYDIR); + // Validate the path is within the expected directory + $real_path = realpath($alumnos_path); + $real_base = realpath($base_path); + + $alumnos = []; + if ($real_path !== false && $real_base !== false && strpos($real_path, $real_base) === 0 && is_dir($real_path)) { + $alumnos = glob($real_path . "/*", GLOB_ONLYDIR); } ?>