Commit cd4a95778a56639a297b6019f0c83285c670cd80

Authored by Edmar Moretti
1 parent f63223bd
Exists in master

Reformulação do código do sistema de administração para aprmoramento da segurança

ferramentas/aplicarsld/upload.php
@@ -14,7 +14,7 @@ require_once (dirname(__FILE__)."/../../ms_configura.php"); @@ -14,7 +14,7 @@ require_once (dirname(__FILE__)."/../../ms_configura.php");
14 $tema = $_GET["tema"]; 14 $tema = $_GET["tema"];
15 15
16 if(isset($logExec) && $logExec["upload"] == true){ 16 if(isset($logExec) && $logExec["upload"] == true){
17 - i3GeoLog("aplicarsld tema: $tema filename:" . $_FILES['i3GEOaplicarsld']['name'],$dir_tmp); 17 + i3GeoLog("prog: aplicarsld tema: $tema filename:" . $_FILES['i3GEOaplicarsld']['name'],$dir_tmp);
18 } 18 }
19 ?> 19 ?>
20 <html> 20 <html>
@@ -41,7 +41,10 @@ if (isset($_FILES[&#39;i3GEOaplicarsld&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOa @@ -41,7 +41,10 @@ if (isset($_FILES[&#39;i3GEOaplicarsld&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOa
41 41
42 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); 42 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
43 43
44 - $ArquivoDest = str_replace(".sld","",$ArquivoDest).".sld"; 44 + $ArquivoDest = str_replace(".sld","",$ArquivoDest);
  45 + $ArquivoDest = str_replace(".","",$ArquivoDest).".sld";
  46 +
  47 +
45 verificaNome($ArquivoDest); 48 verificaNome($ArquivoDest);
46 49
47 //sobe arquivo 50 //sobe arquivo
ferramentas/carregamapa/upload.php
@@ -13,7 +13,7 @@ $postgis_mapa = $_SESSION[&quot;postgis_mapa&quot;]; @@ -13,7 +13,7 @@ $postgis_mapa = $_SESSION[&quot;postgis_mapa&quot;];
13 require_once (dirname(__FILE__)."/../../ms_configura.php"); 13 require_once (dirname(__FILE__)."/../../ms_configura.php");
14 14
15 if(isset($logExec) && $logExec["upload"] == true){ 15 if(isset($logExec) && $logExec["upload"] == true){
16 - i3GeoLog("carregamapa filename:" . $_FILES['i3GEOcarregamapafilemap']['name'],$dir_tmp); 16 + i3GeoLog("prog: carregamapa filename:" . $_FILES['i3GEOcarregamapafilemap']['name'],$dir_tmp);
17 } 17 }
18 ?> 18 ?>
19 <html> 19 <html>
ferramentas/importarwmc/upload.php
@@ -24,7 +24,7 @@ $dirmap = dirname($map_file); @@ -24,7 +24,7 @@ $dirmap = dirname($map_file);
24 $arquivo = ""; 24 $arquivo = "";
25 25
26 if(isset($logExec) && $logExec["upload"] == true){ 26 if(isset($logExec) && $logExec["upload"] == true){
27 - i3GeoLog("importarwmc filename:" . $_FILES['i3GEOimportarwmc']['name'],$dir_tmp); 27 + i3GeoLog("prog: importarwmc filename:" . $_FILES['i3GEOimportarwmc']['name'],$dir_tmp);
28 } 28 }
29 29
30 if(isset($_FILES['i3GEOimportarwmc']['name']) && !($_POST["i3GEOimportarwmcurl"]) && strlen(basename($_FILES['i3GEOimportarwmc']['name'])) < 200) 30 if(isset($_FILES['i3GEOimportarwmc']['name']) && !($_POST["i3GEOimportarwmcurl"]) && strlen(basename($_FILES['i3GEOimportarwmc']['name'])) < 200)
@@ -33,7 +33,9 @@ if(isset($_FILES[&#39;i3GEOimportarwmc&#39;][&#39;name&#39;]) &amp;&amp; !($_POST[&quot;i3GEOimportarwmcurl&quot;] @@ -33,7 +33,9 @@ if(isset($_FILES[&#39;i3GEOimportarwmc&#39;][&#39;name&#39;]) &amp;&amp; !($_POST[&quot;i3GEOimportarwmcurl&quot;]
33 //verifica nomes 33 //verifica nomes
34 $ArquivoDest = $_FILES['i3GEOimportarwmc']['name']; 34 $ArquivoDest = $_FILES['i3GEOimportarwmc']['name'];
35 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); 35 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
36 - $ArquivoDest = str_replace(".xml","",$ArquivoDest).".xml"; 36 +
  37 + $ArquivoDest = str_replace(".xml","",$ArquivoDest);
  38 + $ArquivoDest = str_replace(".","",$ArquivoDest).".xml";
37 39
38 $ArquivoDest = strip_tags($ArquivoDest); 40 $ArquivoDest = strip_tags($ArquivoDest);
39 $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES); 41 $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES);
ferramentas/upload/upload.php
@@ -35,7 +35,7 @@ if (isset($_FILES[&#39;i3GEOuploadshp&#39;][&#39;name&#39;])) @@ -35,7 +35,7 @@ if (isset($_FILES[&#39;i3GEOuploadshp&#39;][&#39;name&#39;]))
35 require_once (dirname(__FILE__)."/../../ms_configura.php"); 35 require_once (dirname(__FILE__)."/../../ms_configura.php");
36 36
37 if(isset($logExec) && $logExec["upload"] == true){ 37 if(isset($logExec) && $logExec["upload"] == true){
38 - i3GeoLog("upload filename:" . $_FILES['i3GEOuploadshp']['name'],$dir_tmp); 38 + i3GeoLog("prog: upload filename:" . $_FILES['i3GEOuploadshp']['name'],$dir_tmp);
39 } 39 }
40 40
41 echo "<p class='paragrafo' >Carregando o arquivo...</p>"; 41 echo "<p class='paragrafo' >Carregando o arquivo...</p>";
@@ -67,9 +67,9 @@ if (isset($_FILES[&#39;i3GEOuploadshp&#39;][&#39;name&#39;])) @@ -67,9 +67,9 @@ if (isset($_FILES[&#39;i3GEOuploadshp&#39;][&#39;name&#39;]))
67 //remove acentos 67 //remove acentos
68 $nomePrefixo = str_replace(" ","_",removeAcentos(str_replace(".shp","",$_FILES['i3GEOuploadshp']['name']))); 68 $nomePrefixo = str_replace(" ","_",removeAcentos(str_replace(".shp","",$_FILES['i3GEOuploadshp']['name'])));
69 69
  70 + $nomePrefixo = str_replace(".","",$nomePrefixo);
70 $nomePrefixo = strip_tags($nomePrefixo); 71 $nomePrefixo = strip_tags($nomePrefixo);
71 $nomePrefixo = htmlspecialchars($nomePrefixo, ENT_QUOTES); 72 $nomePrefixo = htmlspecialchars($nomePrefixo, ENT_QUOTES);
72 -  
73 $nomePrefixo = $nomePrefixo . md5(uniqid(rand(), true)); 73 $nomePrefixo = $nomePrefixo . md5(uniqid(rand(), true));
74 74
75 //sobe arquivo 75 //sobe arquivo
@@ -104,14 +104,26 @@ if (isset($_FILES[&#39;i3GEOuploadshp&#39;][&#39;name&#39;])) @@ -104,14 +104,26 @@ if (isset($_FILES[&#39;i3GEOuploadshp&#39;][&#39;name&#39;]))
104 104
105 $checkphp = fileContemString($dirmap."/".$nomePrefixo.".prj","<?"); 105 $checkphp = fileContemString($dirmap."/".$nomePrefixo.".prj","<?");
106 if($checkphp == true){ 106 if($checkphp == true){
  107 + unlink($dirmap."/".$nomePrefixo.".shp");
  108 + unlink($dirmap."/".$nomePrefixo.".dbf");
  109 + unlink($dirmap."/".$nomePrefixo.".shx");
  110 + unlink($dirmap."/".$nomePrefixo.".prj");
107 exit; 111 exit;
108 } 112 }
109 $checkphp = fileContemString($dirmap."/".$nomePrefixo.".shx","<?"); 113 $checkphp = fileContemString($dirmap."/".$nomePrefixo.".shx","<?");
110 if($checkphp == true){ 114 if($checkphp == true){
  115 + unlink($dirmap."/".$nomePrefixo.".shp");
  116 + unlink($dirmap."/".$nomePrefixo.".dbf");
  117 + unlink($dirmap."/".$nomePrefixo.".shx");
  118 + unlink($dirmap."/".$nomePrefixo.".prj");
111 exit; 119 exit;
112 } 120 }
113 $checkphp = fileContemString($dirmap."/".$nomePrefixo.".dbf","<?"); 121 $checkphp = fileContemString($dirmap."/".$nomePrefixo.".dbf","<?");
114 if($checkphp == true){ 122 if($checkphp == true){
  123 + unlink($dirmap."/".$nomePrefixo.".shp");
  124 + unlink($dirmap."/".$nomePrefixo.".dbf");
  125 + unlink($dirmap."/".$nomePrefixo.".shx");
  126 + unlink($dirmap."/".$nomePrefixo.".prj");
115 exit; 127 exit;
116 } 128 }
117 129
ferramentas/uploaddbf/upload.php
@@ -35,7 +35,7 @@ if (isset($_FILES[&#39;i3GEOuploaddbffile&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3G @@ -35,7 +35,7 @@ if (isset($_FILES[&#39;i3GEOuploaddbffile&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3G
35 require_once (dirname(__FILE__)."/../../ms_configura.php"); 35 require_once (dirname(__FILE__)."/../../ms_configura.php");
36 36
37 if(isset($logExec) && $logExec["upload"] == true){ 37 if(isset($logExec) && $logExec["upload"] == true){
38 - i3GeoLog("uploaddbf filename:" . $_FILES['i3GEOuploaddbffile']['name'],$dir_tmp); 38 + i3GeoLog("prog: uploaddbf filename:" . $_FILES['i3GEOuploaddbffile']['name'],$dir_tmp);
39 } 39 }
40 40
41 $mapa = ms_newMapObj($map_file); 41 $mapa = ms_newMapObj($map_file);
@@ -50,10 +50,12 @@ if (isset($_FILES[&#39;i3GEOuploaddbffile&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3G @@ -50,10 +50,12 @@ if (isset($_FILES[&#39;i3GEOuploaddbffile&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3G
50 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); 50 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
51 51
52 if($_GET["i3GEOuploaddbftipoarquivo"] != "dbf"){ 52 if($_GET["i3GEOuploaddbftipoarquivo"] != "dbf"){
53 - $ArquivoDest = str_replace(".csv","",$ArquivoDest).".csv"; 53 + $ArquivoDest = str_replace(".csv","",$ArquivoDest);
  54 + $ArquivoDest = str_replace(".","",$ArquivoDest).".csv";
54 } 55 }
55 else{ 56 else{
56 - $ArquivoDest = str_replace(".dbf","",$ArquivoDest).".dbf"; 57 + $ArquivoDest = str_replace(".dbf","",$ArquivoDest);
  58 + $ArquivoDest = str_replace(".","",$ArquivoDest).".dbf";
57 } 59 }
58 60
59 $ArquivoDest = strip_tags($ArquivoDest); 61 $ArquivoDest = strip_tags($ArquivoDest);
ferramentas/uploadgpx/upload.php
@@ -32,7 +32,7 @@ if (isset($_FILES[&#39;i3GEOuploadgpx&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOup @@ -32,7 +32,7 @@ if (isset($_FILES[&#39;i3GEOuploadgpx&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOup
32 require_once (dirname(__FILE__)."/../../ms_configura.php"); 32 require_once (dirname(__FILE__)."/../../ms_configura.php");
33 33
34 if(isset($logExec) && $logExec["upload"] == true){ 34 if(isset($logExec) && $logExec["upload"] == true){
35 - i3GeoLog("uploadgpx filename:" . $_FILES['i3GEOuploadgpx']['name'],$dir_tmp); 35 + i3GeoLog("prog: uploadgpx filename:" . $_FILES['i3GEOuploadgpx']['name'],$dir_tmp);
36 } 36 }
37 37
38 $mapa = ms_newMapObj($map_file); 38 $mapa = ms_newMapObj($map_file);
@@ -44,7 +44,8 @@ if (isset($_FILES[&#39;i3GEOuploadgpx&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOup @@ -44,7 +44,8 @@ if (isset($_FILES[&#39;i3GEOuploadgpx&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOup
44 //verifica nomes 44 //verifica nomes
45 $ArquivoDest = $_FILES['i3GEOuploadgpx']['name']; 45 $ArquivoDest = $_FILES['i3GEOuploadgpx']['name'];
46 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); 46 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
47 - $ArquivoDest = str_replace(".gpx","",$ArquivoDest).".gpx"; 47 + $ArquivoDest = str_replace(".gpx","",$ArquivoDest);
  48 + $ArquivoDest = str_replace(".","",$ArquivoDest).".gpx";
48 49
49 $ArquivoDest = strip_tags($ArquivoDest); 50 $ArquivoDest = strip_tags($ArquivoDest);
50 $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES); 51 $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES);
ferramentas/uploadkml/upload.php
@@ -33,7 +33,7 @@ if (isset($_FILES[&#39;i3GEOuploadkml&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOup @@ -33,7 +33,7 @@ if (isset($_FILES[&#39;i3GEOuploadkml&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOup
33 require_once (dirname(__FILE__)."/../../ms_configura.php"); 33 require_once (dirname(__FILE__)."/../../ms_configura.php");
34 34
35 if(isset($logExec) && $logExec["upload"] == true){ 35 if(isset($logExec) && $logExec["upload"] == true){
36 - i3GeoLog("uploadkml filename:" . $_FILES['i3GEOuploadkml']['name'],$dir_tmp); 36 + i3GeoLog("prog: uploadkml filename:" . $_FILES['i3GEOuploadkml']['name'],$dir_tmp);
37 } 37 }
38 38
39 $mapa = ms_newMapObj($map_file); 39 $mapa = ms_newMapObj($map_file);
@@ -45,7 +45,8 @@ if (isset($_FILES[&#39;i3GEOuploadkml&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOup @@ -45,7 +45,8 @@ if (isset($_FILES[&#39;i3GEOuploadkml&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;i3GEOup
45 //verifica nomes 45 //verifica nomes
46 $ArquivoDest = $_FILES['i3GEOuploadkml']['name']; 46 $ArquivoDest = $_FILES['i3GEOuploadkml']['name'];
47 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true)); 47 $ArquivoDest = $ArquivoDest . md5(uniqid(rand(), true));
48 - $ArquivoDest = str_replace(".kml","",$ArquivoDest).".kml"; 48 + $ArquivoDest = str_replace(".kml","",$ArquivoDest);
  49 + $ArquivoDest = str_replace(".","",$ArquivoDest).".kml";
49 50
50 $ArquivoDest = strip_tags($ArquivoDest); 51 $ArquivoDest = strip_tags($ArquivoDest);
51 $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES); 52 $ArquivoDest = htmlspecialchars($ArquivoDest, ENT_QUOTES);
ferramentas/uploadsimbolo/upload.php
@@ -28,7 +28,7 @@ if (isset($_FILES[&#39;i3GEOuploadsimboloarq&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39; @@ -28,7 +28,7 @@ if (isset($_FILES[&#39;i3GEOuploadsimboloarq&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;
28 require_once (dirname(__FILE__)."/../../ms_configura.php"); 28 require_once (dirname(__FILE__)."/../../ms_configura.php");
29 29
30 if(isset($logExec) && $logExec["upload"] == true){ 30 if(isset($logExec) && $logExec["upload"] == true){
31 - i3GeoLog("uploadsimbolo filename:" . $_FILES['i3GEOuploadsimboloarq']['name'],$dir_tmp); 31 + i3GeoLog("prog: uploadsimbolo filename:" . $_FILES['i3GEOuploadsimboloarq']['name'],$dir_tmp);
32 } 32 }
33 33
34 echo "<p class='paragrafo' >Carregando o arquivo...</p>"; 34 echo "<p class='paragrafo' >Carregando o arquivo...</p>";
@@ -52,7 +52,8 @@ if (isset($_FILES[&#39;i3GEOuploadsimboloarq&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39; @@ -52,7 +52,8 @@ if (isset($_FILES[&#39;i3GEOuploadsimboloarq&#39;][&#39;name&#39;]) &amp;&amp; strlen(basename($_FILES[&#39;
52 52
53 $nome = basename($_FILES['i3GEOuploadsimboloarq']['name']); 53 $nome = basename($_FILES['i3GEOuploadsimboloarq']['name']);
54 54
55 - $nome = str_replace(".png","",$nome).".png"; 55 + $nome = str_replace(".png","",$nome);
  56 + $nome = str_replace(".","",$nome).".png";
56 57
57 $nome = strip_tags($nome); 58 $nome = strip_tags($nome);
58 $nome = htmlspecialchars($nome, ENT_QUOTES); 59 $nome = htmlspecialchars($nome, ENT_QUOTES);