From 3ace2136f062bd7e2f42328460a9e08859c856d5 Mon Sep 17 00:00:00 2001
From: Michael Vogel <icarus@dabo.de>
Date: Sun, 13 Sep 2015 18:47:10 +0200
Subject: [PATCH] Checking includes for valid paths

---
 boot.php           | 28 ++++++++++++++++++++++++++++
 include/poller.php | 15 ++++++++++++---
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/boot.php b/boot.php
index 3116bb94b9..22cd34e062 100644
--- a/boot.php
+++ b/boot.php
@@ -1893,3 +1893,31 @@ if(!function_exists('exif_imagetype')) {
 		return($size[2]);
 	}
 }
+
+function validate_include(&$file) {
+	$orig_file = $file;
+
+	$file = realpath($file);
+
+	if (strpos($file, getcwd()) !== 0)
+		return false;
+
+	$file = str_replace(getcwd()."/", "", $file, $count);
+	if ($count != 1)
+		return false;
+
+	if ($orig_file !== $file)
+		return false;
+
+	$valid = false;
+	if (strpos($file, "include/") === 0)
+		$valid = true;
+
+	if (strpos($file, "addon/") === 0)
+		$valid = true;
+
+	if (!$valid)
+		return false;
+
+	return true;
+}
diff --git a/include/poller.php b/include/poller.php
index e4b0b092f4..b03dc84af7 100644
--- a/include/poller.php
+++ b/include/poller.php
@@ -65,8 +65,16 @@ function poller_run(&$argv, &$argc){
 
 		$argc = count($argv);
 
-		// To-Do: Check for existance
-		require_once(basename($argv[0]));
+		// Check for existance and validity of the include file
+		$include = $argv[0];
+
+		if (!validate_include($include)) {
+			logger("Include file ".$argv[0]." is not valid!");
+			q("DELETE FROM `workerqueue` WHERE `id` = %d", intval($r[0]["id"]));
+			continue;
+		}
+
+		require_once($include);
 
 		$funcname=str_replace(".php", "", basename($argv[0]))."_run";
 
@@ -77,7 +85,8 @@ function poller_run(&$argv, &$argc){
 			logger("Process ".getmypid().": ".$funcname." - done");
 
 			q("DELETE FROM `workerqueue` WHERE `id` = %d", intval($r[0]["id"]));
-		}
+		} else
+			logger("Function ".$funcname." does not exist");
 	}
 
 }