Security: Restrict direct attachment access and upload file types

attachments/.htaccess

@@ -1,8 +1,15 @@
-AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .pl .py .js .jsp .asp .htm .html .$
-
 Options -ExecCGI -Indexes
 
-#grant access only if files with specific extensions are uploaded
-  <FilesMatch "(?i)\.(bmp|csv|doc|docx|heic|html|jpeg|jpg|msg|odg|odt|pages|pdf|png|ppt|pptx|rtf|tiff|wpd|wps|xls|xlsx|xps)$">
-    Require all granted
-  </FilesMatch>
+# Deny all direct HTTP access to files stored in this directory.
+# Attachments must be served through the application (AttachmentsUI) so that authentication and authorization checks are always enforced.
+
+# For Apache 2.4 and later (using mod_authz_core): deny all requests to this directory.
+<IfModule mod_authz_core.c>
+    Require all denied
+</IfModule>
+
+# For older Apache versions or when mod_authz_core is not available: use the legacy access control syntax to deny all requests to this directory.
+<IfModule !mod_authz_core.c>
+    Order deny,allow
+    Deny from all
+</IfModule>

lib/Attachments.php

@@ -955,6 +955,27 @@ public function createFromUpload($dataItemType, $dataItemID, $fileField,
             return false;
         }
 
+        /* Restrict uploads to a whitelist of allowed file extensions.
+         * This is a server-side validation which cannot be bypassed by
+         * manipulating client-side restrictions.
+         */
+        $allowedExtensions = array(
+            'bmp', 'csv', 'doc', 'docx', 'heic',
+            'jpeg', 'jpg', 'msg', 'odg', 'odt',
+            'pages', 'pdf', 'png', 'ppt', 'pptx',
+            'rtf', 'tiff', 'wpd', 'wps', 'xls',
+            'xlsx', 'xps'
+        );
+
+        $extension = FileUtility::getFileExtension($originalFilename);
+
+        if (!in_array($extension, $allowedExtensions, true))
+        {
+            $this->_isError = true;
+            $this->_error = 'This file type is not allowed for upload.';
+            return false;
+        }
+
         /* This usually indicates an error. */
         if ($fileSize <= 0)
         {

lib/FileUtility.php

@@ -327,7 +327,15 @@ public static function getFileWithoutExtension($filename,
      */
     public static function getFileExtension($filename)
     {
-        return strtolower(substr($filename, strrpos($filename, '.') + 1));
+        $lastDotPosition = strrpos($filename, '.');
+
+        // Treat dotless names and dotfiles as having no extension.
+        if ($lastDotPosition === false || $lastDotPosition === 0)
+        {
+            return '';
+        }
+
+        return strtolower(substr($filename, $lastDotPosition + 1));
     }
 
     /**

modules/candidates/CreateImageAttachmentModal.tpl

@@ -9,8 +9,8 @@
             <?php foreach ($this->attachmentsRS as $rowNumber => $attachmentsData): ?>
                  <?php if ($attachmentsData['isProfileImage'] == '1'): ?>
                     <div style="text-align:center;">
-                        <a href="attachments/<?php $this->_($attachmentsData['directoryName']) ?>/<?php $this->_($attachmentsData['storedFilename']) ?>">
-                            <img src="attachments/<?php $this->_($attachmentsData['directoryName']) ?>/<?php $this->_($attachmentsData['storedFilename']) ?>" border="0" width="165">
+                        <a href="<?php echo $attachmentsData['retrievalURL']; ?>">
+                            <img src="<?php echo $attachmentsData['retrievalURL']; ?>" border="0" width="165">
                         </a>
                     </div>
                  <?php endif; ?>

modules/candidates/Questionnaire.tpl

@@ -1,5 +1,5 @@
 <?php /* $Id: Questionnaire.tpl 3668 2007-11-21 00:38:50Z brian $ */ ?>
-<?php TemplateUtility::printHeader('Candidate - '.$this->cData['firstName'].' '.$this->cData['lastName'] . ' Questionnaire', array( 'js/activity.js', 'js/sorttable.js', 'js/match.js', 'js/lib.js', 'js/pipeline.js', 'js/attachment.js')); ?>
+<?php TemplateUtility::printHeader('Candidate - '.$this->cData['firstName'].' '.$this->cData['lastName'] . ' Questionnaire', array( 'js/activity.js', 'js/sorttable.js', 'js/match.js', 'js/lib.js', 'js/pipeline.js')); ?>
 <?php if (!$this->print): ?>
 <?php TemplateUtility::printHeaderBlock(); ?>
 <?php TemplateUtility::printTabs($this->active); ?>

modules/candidates/Show.tpl

@@ -4,9 +4,9 @@ use OpenCATS\UI\CandidateQuickActionMenu;
 use OpenCATS\UI\CandidateDuplicateQuickActionMenu;
 ?>
 <?php if ($this->isPopup): ?>
-    <?php TemplateUtility::printHeader('Candidate - '.$this->data['firstName'].' '.$this->data['lastName'], array( 'js/activity.js', 'js/sorttable.js', 'js/match.js', 'js/lib.js', 'js/pipeline.js', 'js/attachment.js', 'modules/candidates/quickAction-candidates.js')); ?>
+    <?php TemplateUtility::printHeader('Candidate - '.$this->data['firstName'].' '.$this->data['lastName'], array( 'js/activity.js', 'js/sorttable.js', 'js/match.js', 'js/lib.js', 'js/pipeline.js', 'modules/candidates/quickAction-candidates.js')); ?>
 <?php else: ?>
-    <?php TemplateUtility::printHeader('Candidate - '.$this->data['firstName'].' '.$this->data['lastName'], array( 'js/activity.js', 'js/sorttable.js', 'js/match.js', 'js/lib.js', 'js/pipeline.js', 'js/attachment.js', 'modules/candidates/quickAction-candidates.js', 'modules/candidates/quickAction-duplicates.js')); ?>
+    <?php TemplateUtility::printHeader('Candidate - '.$this->data['firstName'].' '.$this->data['lastName'], array( 'js/activity.js', 'js/sorttable.js', 'js/match.js', 'js/lib.js', 'js/pipeline.js', 'modules/candidates/quickAction-candidates.js', 'modules/candidates/quickAction-duplicates.js')); ?>
 
     <?php TemplateUtility::printHeaderBlock(); ?>
     <?php TemplateUtility::printTabs($this->active); ?>
@@ -237,8 +237,8 @@ use OpenCATS\UI\CandidateDuplicateQuickActionMenu;
                                     </tr>
                                     <tr>
                                         <td class="data">
-                                            <a href="attachments/<?php $this->_($attachmentsData['directoryName']) ?>/<?php $this->_($attachmentsData['storedFilename']) ?>">
-                                                <img src="attachments/<?php $this->_($attachmentsData['directoryName']) ?>/<?php $this->_($attachmentsData['storedFilename']) ?>" border="0" alt="" width="125" />
+                                            <a href="<?php echo $attachmentsData['retrievalURL']; ?>">
+                                                <img src="<?php echo $attachmentsData['retrievalURL']; ?>" border="0" alt="" width="125" />
                                             </a>
                                         </td>
                                     </tr>

modules/companies/Show.tpl

@@ -2,7 +2,7 @@
 include_once('./vendor/autoload.php');
 use OpenCATS\UI\QuickActionMenu;
 ?>
-<?php TemplateUtility::printHeader('Company - '.$this->data['name'], array( 'js/sorttable.js', 'js/attachment.js')); ?>
+<?php TemplateUtility::printHeader('Company - '.$this->data['name'], array( 'js/sorttable.js')); ?>
 <?php TemplateUtility::printHeaderBlock(); ?>
 <?php TemplateUtility::printTabs($this->active); ?>
     <div id="main">

modules/contacts/Show.tpl

@@ -3,7 +3,7 @@
 include_once('./vendor/autoload.php');
 use OpenCATS\UI\QuickActionMenu;
 ?>
-<?php TemplateUtility::printHeader('Contact - '.$this->data['firstName'].' '.$this->data['lastName'], array( 'js/activity.js', 'js/attachment.js')); ?>
+<?php TemplateUtility::printHeader('Contact - '.$this->data['firstName'].' '.$this->data['lastName'], array( 'js/activity.js')); ?>
 <?php TemplateUtility::printHeaderBlock(); ?>
 <?php TemplateUtility::printTabs($this->active); ?>
     <div id="main">

modules/joborders/Show.tpl

@@ -3,9 +3,9 @@ include_once('./vendor/autoload.php');
 use OpenCATS\UI\QuickActionMenu;
 ?>
 <?php if ($this->isPopup): ?>
-    <?php TemplateUtility::printHeader('Job Order - '.$this->data['title'], array('js/sorttable.js', 'js/match.js', 'js/pipeline.js', 'js/attachment.js')); ?>
+    <?php TemplateUtility::printHeader('Job Order - '.$this->data['title'], array('js/sorttable.js', 'js/match.js', 'js/pipeline.js')); ?>
 <?php else: ?>
-    <?php TemplateUtility::printHeader('Job Order - '.$this->data['title'], array( 'js/sorttable.js', 'js/match.js', 'js/pipeline.js', 'js/attachment.js')); ?>
+    <?php TemplateUtility::printHeader('Job Order - '.$this->data['title'], array( 'js/sorttable.js', 'js/match.js', 'js/pipeline.js')); ?>
     <?php TemplateUtility::printHeaderBlock(); ?>
     <?php TemplateUtility::printTabs($this->active); ?>
         <div id="main">

modules/settings/Backup.tpl

@@ -46,7 +46,7 @@
                                     </td>
                                     <td>
                                         (<?php $this->_($attachmentsData['fileSize']) ?>)&nbsp;
-                                        <a href="<?php echo $attachmentsData['retrievalURLLocal']; ?>">
+                                        <a href="<?php echo $attachmentsData['retrievalURL']; ?>">
                                             <?php $this->_($attachmentsData['originalFilename']) ?>
                                         </a>
                                     </td>