From c24a10a0c8b0e12b31257164da407dbef28eb153 Mon Sep 17 00:00:00 2001
From: dignajar <dignajar@gmail.com>
Date: Sun, 25 Sep 2016 23:30:06 -0300
Subject: [PATCH] Security fixes

---
 bl-kernel/ajax/delete-file.php |  5 ++++-
 bl-kernel/ajax/slug.php        |  5 ++++-
 bl-kernel/ajax/uploader.php    | 15 ++++++++++++---
 bl-kernel/boot/admin.php       |  3 +++
 4 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/bl-kernel/ajax/delete-file.php b/bl-kernel/ajax/delete-file.php
index 8a5ab299..d53e816d 100644
--- a/bl-kernel/ajax/delete-file.php
+++ b/bl-kernel/ajax/delete-file.php
@@ -26,6 +26,9 @@ if( Sanitize::pathFile(PATH_UPLOADS.$filename) ) {
 	exit;
 }
 
-echo json_encode( array('status'=>0, 'msg'=>'The file does not exist.') );
+exit(json_encode(array(
+	'status'=>0,
+	'msg'=>'The file does not exist.'
+)));
 
 ?>
\ No newline at end of file
diff --git a/bl-kernel/ajax/slug.php b/bl-kernel/ajax/slug.php
index cf94e123..4315d68b 100644
--- a/bl-kernel/ajax/slug.php
+++ b/bl-kernel/ajax/slug.php
@@ -21,6 +21,9 @@ elseif( $_POST['type']==='post' ) {
 	$slug = $dbPosts->generateKey($text, $key);
 }
 
-echo json_encode( array('status'=>1, 'slug'=>$slug) );
+exit(json_encode(array(
+	'status'=>1,
+	'slug'=>$slug
+)));
 
 ?>
\ No newline at end of file
diff --git a/bl-kernel/ajax/uploader.php b/bl-kernel/ajax/uploader.php
index 281dddaf..d671c98d 100644
--- a/bl-kernel/ajax/uploader.php
+++ b/bl-kernel/ajax/uploader.php
@@ -18,6 +18,15 @@ $filename = pathinfo($filename, PATHINFO_FILENAME);
 $filename = Text::replace(' ', '', $filename);
 $filename = Text::replace('_', '', $filename);
 
+// Check extension
+$validExtension = array('tiff', 'gif', 'png', 'jpg', 'jpeg', 'bmp');
+if( !in_array($fileExtension, $validExtension) ) {
+	exit(json_encode(array(
+		'status'=>1,
+		'msg'=>'Invalid extension file.'
+	)));
+}
+
 // Generate the next filename if the filename already exist.
 $tmpName = $filename.'.'.$fileExtension;
 if( file_exists(PATH_UPLOADS.$tmpName) )
@@ -47,7 +56,7 @@ if($type=='profilePicture')
 else {
 	// Generate the thumbnail
 	$Image = new Image();
-	
+
 	//Handling all other formats than svg
 	if (strcasecmp($fileExtension, 'svg') != 0) {
 		$Image->setImage(PATH_TMP.'original'.'.'.$fileExtension, THUMBNAILS_WIDTH, THUMBNAILS_HEIGHT, 'crop');
@@ -56,7 +65,7 @@ else {
 
 	// Move the original to the upload folder.
 	rename(PATH_TMP.'original'.'.'.$fileExtension, PATH_UPLOADS.$tmpName);
-	
+
 	//If it is a svg file, just save a copy in thumbnail-folder
 	if (strcasecmp($fileExtension, 'svg') == 0) {
 		symlink(PATH_UPLOADS.$tmpName, PATH_UPLOADS_THUMBNAILS.$tmpName);
@@ -73,4 +82,4 @@ exit(json_encode(array(
 	'filename'=>$tmpName
 )));
 
-?>
+?>
\ No newline at end of file
diff --git a/bl-kernel/boot/admin.php b/bl-kernel/boot/admin.php
index fcc39779..04f61bf2 100644
--- a/bl-kernel/boot/admin.php
+++ b/bl-kernel/boot/admin.php
@@ -30,6 +30,9 @@ if( $layout['slug']==='ajax' )
 	// Check if the user is loggued.
 	if($Login->isLogged())
 	{
+		// Rules: Security check CSRF
+		include(PATH_RULES.'99.security.php');
+
 		// Load the ajax file.
 		if( Sanitize::pathFile(PATH_AJAX, $layout['parameters'].'.php') ) {
 			include(PATH_AJAX.$layout['parameters'].'.php');