From cd4a95778a56639a297b6019f0c83285c670cd80 Mon Sep 17 00:00:00 2001
From: edmarmoretti <edmar.moretti@gmail.com>
Date: Mon, 15 Aug 2016 18:22:50 -0300
Subject: [PATCH] Reformulação do código do sistema de administração para aprmoramento da segurança

---
 ferramentas/aplicarsld/upload.php    |  7 +++++--
 ferramentas/carregamapa/upload.php   |  2 +-
 ferramentas/importarwmc/upload.php   |  6 ++++--
 ferramentas/upload/upload.php        | 16 ++++++++++++++--
 ferramentas/uploaddbf/upload.php     |  8 +++++---
 ferramentas/uploadgpx/upload.php     |  5 +++--
 ferramentas/uploadkml/upload.php     |  5 +++--
 ferramentas/uploadsimbolo/upload.php |  5 +++--
 8 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/ferramentas/aplicarsld/upload.php b/ferramentas/aplicarsld/upload.php
index 11f7439..48d8aef 100755
--- a/ferramentas/aplicarsld/upload.php
+++ b/ferramentas/aplicarsld/upload.php
@@ -14,7 +14,7 @@ require_once (dirname(__FILE__)."/../../ms_configura.php");
 $tema = $_GET["tema"];
 
 if(isset($logExec) && $logExec["upload"] == true){
-	i3GeoLog("aplicarsld tema: $tema filename:" . $_FILES['i3GEOaplicarsld']['name'],$dir_tmp);
+	i3GeoLog("prog: aplicarsld tema: $tema filename:" . $_FILES['i3GEOaplicarsld']['name'],$dir_tmp);
 }
 ?>
 <html>
@@ -41,7 +41,10 @@ if (isset($_FILES['i3GEOaplicarsld']['name']) && strlen(basename($_FILES['i3GEOa
 
 	$ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
 
-	$ArquivoDest = str_replace(".sld","",$ArquivoDest).".sld";
+	$ArquivoDest = str_replace(".sld","",$ArquivoDest);
+	$ArquivoDest = str_replace(".","",$ArquivoDest).".sld";
+
+
 	verificaNome($ArquivoDest);
 
 	//sobe arquivo
diff --git a/ferramentas/carregamapa/upload.php b/ferramentas/carregamapa/upload.php
index 6d632e6..e38f117 100755
--- a/ferramentas/carregamapa/upload.php
+++ b/ferramentas/carregamapa/upload.php
@@ -13,7 +13,7 @@ $postgis_mapa = $_SESSION["postgis_mapa"];
 require_once (dirname(__FILE__)."/../../ms_configura.php");
 
 if(isset($logExec) && $logExec["upload"] == true){
-	i3GeoLog("carregamapa filename:" . $_FILES['i3GEOcarregamapafilemap']['name'],$dir_tmp);
+	i3GeoLog("prog: carregamapa filename:" . $_FILES['i3GEOcarregamapafilemap']['name'],$dir_tmp);
 }
 ?>
 <html>
diff --git a/ferramentas/importarwmc/upload.php b/ferramentas/importarwmc/upload.php
index 85e9a68..6c9c77e 100755
--- a/ferramentas/importarwmc/upload.php
+++ b/ferramentas/importarwmc/upload.php
@@ -24,7 +24,7 @@ $dirmap = dirname($map_file);
 $arquivo = "";
 
 if(isset($logExec) && $logExec["upload"] == true){
-	i3GeoLog("importarwmc filename:" . $_FILES['i3GEOimportarwmc']['name'],$dir_tmp);
+	i3GeoLog("prog: importarwmc filename:" . $_FILES['i3GEOimportarwmc']['name'],$dir_tmp);
 }
 
 if(isset($_FILES['i3GEOimportarwmc']['name']) && !($_POST["i3GEOimportarwmcurl"]) && strlen(basename($_FILES['i3GEOimportarwmc']['name'])) < 200)
@@ -33,7 +33,9 @@ if(isset($_FILES['i3GEOimportarwmc']['name']) && !($_POST["i3GEOimportarwmcurl"]
 	//verifica nomes
 	$ArquivoDest = $_FILES['i3GEOimportarwmc']['name'];
 	$ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
-	$ArquivoDest = str_replace(".xml","",$ArquivoDest).".xml";
+
+	$ArquivoDest = str_replace(".xml","",$ArquivoDest);
+	$ArquivoDest = str_replace(".","",$ArquivoDest).".xml";
 
 	$ArquivoDest = strip_tags($ArquivoDest);
 	$ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES);
diff --git a/ferramentas/upload/upload.php b/ferramentas/upload/upload.php
index bf1e24e..14f9baf 100755
--- a/ferramentas/upload/upload.php
+++ b/ferramentas/upload/upload.php
@@ -35,7 +35,7 @@ if (isset($_FILES['i3GEOuploadshp']['name']))
 	require_once (dirname(__FILE__)."/../../ms_configura.php");
 
 	if(isset($logExec) && $logExec["upload"] == true){
-		i3GeoLog("upload filename:" . $_FILES['i3GEOuploadshp']['name'],$dir_tmp);
+		i3GeoLog("prog: upload filename:" . $_FILES['i3GEOuploadshp']['name'],$dir_tmp);
 	}
 
 	echo "<p class='paragrafo' >Carregando o arquivo...</p>";
@@ -67,9 +67,9 @@ if (isset($_FILES['i3GEOuploadshp']['name']))
 	//remove acentos
 	$nomePrefixo = str_replace(" ","_",removeAcentos(str_replace(".shp","",$_FILES['i3GEOuploadshp']['name'])));
 
+	$nomePrefixo = str_replace(".","",$nomePrefixo);
 	$nomePrefixo = strip_tags($nomePrefixo);
 	$nomePrefixo = htmlspecialchars($nomePrefixo, ENT_QUOTES);
-
 	$nomePrefixo = $nomePrefixo . md5(uniqid(rand(), true));
 
 	//sobe arquivo
@@ -104,14 +104,26 @@ if (isset($_FILES['i3GEOuploadshp']['name']))
 
 	$checkphp = fileContemString($dirmap."/".$nomePrefixo.".prj","<?");
 	if($checkphp == true){
+		unlink($dirmap."/".$nomePrefixo.".shp");
+		unlink($dirmap."/".$nomePrefixo.".dbf");
+		unlink($dirmap."/".$nomePrefixo.".shx");
+		unlink($dirmap."/".$nomePrefixo.".prj");
 		exit;
 	}
 	$checkphp = fileContemString($dirmap."/".$nomePrefixo.".shx","<?");
 	if($checkphp == true){
+		unlink($dirmap."/".$nomePrefixo.".shp");
+		unlink($dirmap."/".$nomePrefixo.".dbf");
+		unlink($dirmap."/".$nomePrefixo.".shx");
+		unlink($dirmap."/".$nomePrefixo.".prj");
 		exit;
 	}
 	$checkphp = fileContemString($dirmap."/".$nomePrefixo.".dbf","<?");
 	if($checkphp == true){
+		unlink($dirmap."/".$nomePrefixo.".shp");
+		unlink($dirmap."/".$nomePrefixo.".dbf");
+		unlink($dirmap."/".$nomePrefixo.".shx");
+		unlink($dirmap."/".$nomePrefixo.".prj");
 		exit;
 	}
 
diff --git a/ferramentas/uploaddbf/upload.php b/ferramentas/uploaddbf/upload.php
index 6a56767..b466a33 100755
--- a/ferramentas/uploaddbf/upload.php
+++ b/ferramentas/uploaddbf/upload.php
@@ -35,7 +35,7 @@ if (isset($_FILES['i3GEOuploaddbffile']['name']) && strlen(basename($_FILES['i3G
 	require_once (dirname(__FILE__)."/../../ms_configura.php");
 
 	if(isset($logExec) && $logExec["upload"] == true){
-		i3GeoLog("uploaddbf filename:" . $_FILES['i3GEOuploaddbffile']['name'],$dir_tmp);
+		i3GeoLog("prog: uploaddbf filename:" . $_FILES['i3GEOuploaddbffile']['name'],$dir_tmp);
 	}
 
 	$mapa = ms_newMapObj($map_file);
@@ -50,10 +50,12 @@ if (isset($_FILES['i3GEOuploaddbffile']['name']) && strlen(basename($_FILES['i3G
 	$ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
 
 	if($_GET["i3GEOuploaddbftipoarquivo"] != "dbf"){
-		$ArquivoDest = str_replace(".csv","",$ArquivoDest).".csv";
+		$ArquivoDest = str_replace(".csv","",$ArquivoDest);
+		$ArquivoDest = str_replace(".","",$ArquivoDest).".csv";
 	}
 	else{
-		$ArquivoDest = str_replace(".dbf","",$ArquivoDest).".dbf";
+		$ArquivoDest = str_replace(".dbf","",$ArquivoDest);
+		$ArquivoDest = str_replace(".","",$ArquivoDest).".dbf";
 	}
 
 	$ArquivoDest = strip_tags($ArquivoDest);
diff --git a/ferramentas/uploadgpx/upload.php b/ferramentas/uploadgpx/upload.php
index b31d4f1..c64e025 100755
--- a/ferramentas/uploadgpx/upload.php
+++ b/ferramentas/uploadgpx/upload.php
@@ -32,7 +32,7 @@ if (isset($_FILES['i3GEOuploadgpx']['name']) && strlen(basename($_FILES['i3GEOup
 	require_once (dirname(__FILE__)."/../../ms_configura.php");
 
 	if(isset($logExec) && $logExec["upload"] == true){
-		i3GeoLog("uploadgpx filename:" . $_FILES['i3GEOuploadgpx']['name'],$dir_tmp);
+		i3GeoLog("prog: uploadgpx filename:" . $_FILES['i3GEOuploadgpx']['name'],$dir_tmp);
 	}
 
 	$mapa = ms_newMapObj($map_file);
@@ -44,7 +44,8 @@ if (isset($_FILES['i3GEOuploadgpx']['name']) && strlen(basename($_FILES['i3GEOup
 	//verifica nomes
 	$ArquivoDest = $_FILES['i3GEOuploadgpx']['name'];
 	$ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
-	$ArquivoDest = str_replace(".gpx","",$ArquivoDest).".gpx";
+	$ArquivoDest = str_replace(".gpx","",$ArquivoDest);
+	$ArquivoDest = str_replace(".","",$ArquivoDest).".gpx";
 
 	$ArquivoDest = strip_tags($ArquivoDest);
 	$ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES);
diff --git a/ferramentas/uploadkml/upload.php b/ferramentas/uploadkml/upload.php
index 20ce888..ff581e6 100755
--- a/ferramentas/uploadkml/upload.php
+++ b/ferramentas/uploadkml/upload.php
@@ -33,7 +33,7 @@ if (isset($_FILES['i3GEOuploadkml']['name']) && strlen(basename($_FILES['i3GEOup
 	require_once (dirname(__FILE__)."/../../ms_configura.php");
 
 	if(isset($logExec) && $logExec["upload"] == true){
-		i3GeoLog("uploadkml filename:" . $_FILES['i3GEOuploadkml']['name'],$dir_tmp);
+		i3GeoLog("prog: uploadkml filename:" . $_FILES['i3GEOuploadkml']['name'],$dir_tmp);
 	}
 
 	$mapa = ms_newMapObj($map_file);
@@ -45,7 +45,8 @@ if (isset($_FILES['i3GEOuploadkml']['name']) && strlen(basename($_FILES['i3GEOup
 	//verifica nomes
 	$ArquivoDest = $_FILES['i3GEOuploadkml']['name'];
 	$ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
-	$ArquivoDest = str_replace(".kml","",$ArquivoDest).".kml";
+	$ArquivoDest = str_replace(".kml","",$ArquivoDest);
+	$ArquivoDest = str_replace(".","",$ArquivoDest).".kml";
 
 	$ArquivoDest = strip_tags($ArquivoDest);
 	$ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES);
diff --git a/ferramentas/uploadsimbolo/upload.php b/ferramentas/uploadsimbolo/upload.php
index 3f41cc7..5a6f18f 100755
--- a/ferramentas/uploadsimbolo/upload.php
+++ b/ferramentas/uploadsimbolo/upload.php
@@ -28,7 +28,7 @@ if (isset($_FILES['i3GEOuploadsimboloarq']['name']) && strlen(basename($_FILES['
 	require_once (dirname(__FILE__)."/../../ms_configura.php");
 
 	if(isset($logExec) && $logExec["upload"] == true){
-		i3GeoLog("uploadsimbolo filename:" . $_FILES['i3GEOuploadsimboloarq']['name'],$dir_tmp);
+		i3GeoLog("prog: uploadsimbolo filename:" . $_FILES['i3GEOuploadsimboloarq']['name'],$dir_tmp);
 	}
 
 	echo "<p class='paragrafo' >Carregando o arquivo...</p>";
@@ -52,7 +52,8 @@ if (isset($_FILES['i3GEOuploadsimboloarq']['name']) && strlen(basename($_FILES['
 
 	$nome = basename($_FILES['i3GEOuploadsimboloarq']['name']);
 
-	$nome = str_replace(".png","",$nome).".png";
+	$nome = str_replace(".png","",$nome);
+	$nome = str_replace(".","",$nome).".png";
 
 	$nome = strip_tags($nome);
 	$nome = htmlspecialchars($nome, ENT_QUOTES);
--
libgit2 0.21.2