portal/import_template.php

   1 <?php
   2 /**
   3  *
   4  * Copyright (C) 2016-2017 Jerry Padgett <sjpadgett@gmail.com>
   5  *
   6  * LICENSE: This program is free software: you can redistribute it and/or modify
   7  *  it under the terms of the GNU Affero General Public License as
   8  *  published by the Free Software Foundation, either version 3 of the
   9  *  License, or (at your option) any later version.
  10  *
  11  *  This program is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *  GNU Affero General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU Affero General Public License
  17  *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18  *
  19  * @package OpenEMR
  20  * @author Jerry Padgett <sjpadgett@gmail.com>
  21  * @link http://www.open-emr.org
  22  */
  23
  24
  25 require_once("../interface/globals.php");
  26
  27 if ($_POST['mode'] == 'get') {
  28     $rebuilt = validateFile($_POST['docid']);
  29     if ($rebuilt) {
  30         echo file_get_contents($rebuilt);
  31         exit();
  32     } else {
  33         die(xlt('Invalid File'));
  34     }
  35 } else if ($_POST['mode'] == 'save') {
  36     $rebuilt = validateFile($_POST['docid']);
  37     if ($rebuilt) {
  38         if (stripos($_POST['content'], "<?php") === false) {
  39             file_put_contents($rebuilt, $_POST['content']);
  40             exit(true);
  41         } else {
  42             die(xlt('Invalid Content'));
  43         }
  44     } else {
  45         die(xlt('Invalid File'));
  46     }
  47 } else if ($_POST['mode'] == 'delete') {
  48     $rebuilt = validateFile($_POST['docid']);
  49     if ($rebuilt) {
  50         unlink($rebuilt);
  51         exit(true);
  52     } else {
  53         die(xlt('Invalid File'));
  54     }
  55 }
  56
  57 // so it is an import
  58 if (!isset($_POST['up_dir'])) {
  59     define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
  60 } else {
  61     if ($_POST['up_dir'] > 0) {
  62         define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/' . convert_safe_file_dir_name($_POST['up_dir']) . '/');
  63     } else {
  64         define("UPLOAD_DIR", $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/');
  65     }
  66 }
  67
  68 if (!empty($_FILES["tplFile"])) {
  69     $tplFile = $_FILES["tplFile"];
  70
  71     if ($tplFile["error"] !== UPLOAD_ERR_OK) {
  72         header("refresh:2;url= import_template_ui.php");
  73         echo "<p>" . xlt("An error occurred: Missing file to upload: Use back button!") . "</p>";
  74         exit;
  75     }
  76
  77     // ensure a safe filename
  78     $name = preg_replace("/[^A-Z0-9._-]/i", "_", $tplFile["name"]);
  79     if (preg_match("/(.*)\.(php|php3|php4|php5|php7)$/i", $name) !== 0) {
  80         die(xlt('Executables not allowed'));
  81     }
  82     $parts = pathinfo($name);
  83     $name = $parts["filename"] . '.tpl';
  84     // don't overwrite an existing file
  85     while (file_exists(UPLOAD_DIR . $name)) {
  86         $i = rand(0, 128);
  87         $newname = $parts["filename"] . "-" . $i . "." . $parts["extension"] . ".replaced";
  88         rename(UPLOAD_DIR . $name, UPLOAD_DIR . $newname);
  89     }
  90
  91     // preserve file from temporary directory
  92     $success = move_uploaded_file($tplFile["tmp_name"], UPLOAD_DIR . $name);
  93     if (!$success) {
  94         echo "<p>" . xlt("Unable to save file: Use back button!") . "</p>";
  95         exit;
  96     }
  97
  98     // set proper permissions on the new file
  99     chmod(UPLOAD_DIR . $name, 0644);
 100     header("location: " . $_SERVER['HTTP_REFERER']);
 101     die();
 102 }
 103
 104 function validateFile($filename = '')
 105 {
 106     $knownPath = $GLOBALS['OE_SITE_DIR'] . '/documents/onsite_portal_documents/templates/'; // default path
 107     $unknown = str_replace("\\", "/", realpath($filename)); // normalize requested path
 108     $parts = pathinfo($unknown);
 109     $unkParts = explode('/', $parts['dirname']);
 110     $ptpid = $unkParts[count($unkParts) - 1]; // is this a patient or global template
 111     $ptpid = ($ptpid == 'templates') ? '' : ($ptpid . '/'); // last part should be pid or template
 112     $rebuiltPath = $knownPath . $ptpid . $parts['filename'] . '.tpl';
 113     if (file_exists($rebuiltPath) === false || $parts['extension'] != 'tpl') {
 114         redirect();
 115     } elseif (realpath($rebuiltPath) != realpath($filename)) { // these need to match to be valid request
 116         redirect();
 117     } elseif (stripos(realpath($filename), realpath($knownPath)) === false) { // this needs to pass be a valid request
 118         redirect();
 119     }
 120
 121     return $rebuiltPath;
 122 }
 123
 124 function redirect()
 125 {
 126     header('HTTP/1.0 404 Not Found');
 127     die();
 128 }