From: Salvatore Bonaccorso <carnil@debian.org>
Bug-Debian: http://bugs.debian.org/700912
Subject: CVE-2013-0332: local file inclusion vulnerability
Bug-Upstream: http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979

Backported r3483 and r3488 from upstream svn to fix CVE-2013-0332.

Index: zoneminder/web/includes/functions.php
===================================================================
--- zoneminder.orig/web/includes/functions.php 2013-02-26 17:07:02.000000000 -0800
+++ zoneminder/web/includes/functions.php      2013-02-26 17:08:10.806977380 -0800
@@ -2231,13 +2231,21 @@
     return( rand( 1, 999999 ) );
 }

+function detaintPath( $path )
+{
+    // Remove any absolute paths, or relative ones that want to go up
+    $path = preg_replace( '/\.\.+\/\/*/', '', $path );
+    $path = preg_replace( '/^\/\/*/', '', $path );
+    return( $path );
+}
+
 function getSkinFile( $file )
 {
     global $skinBase;
     $skinFile = false;
     foreach ( $skinBase as $skin )
     {
-        $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
+        $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
         if ( file_exists( $tempSkinFile ) )
             $skinFile = $tempSkinFile;
     }
@@ -2250,7 +2258,7 @@
     $skinFile = false;
     foreach ( $skinBase as $skin )
     {
-        $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
+        $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
         if ( file_exists( $tempSkinFile ) )
             $skinFile = $tempSkinFile;
     }
Index: zoneminder/web/index.php
===================================================================
--- zoneminder.orig/web/index.php      2013-02-26 16:55:04.000000000 -0800
+++ zoneminder/web/index.php   2013-02-26 17:13:03.376428137 -0800
@@ -95,11 +95,20 @@
 require_once( 'includes/lang.php' );
 require_once( 'includes/functions.php' );
 
-if ( isset($_REQUEST['view']) )
-    $view = validHtmlStr($_REQUEST['view']);
+if ( isset($_REQUEST['view']) ) {
+    $view = detaintPath($_REQUEST['view']);
+    $view = validHtmlStr($view);
+}
 
-if ( isset($_REQUEST['action']) )
-    $action = validHtmlStr($_REQUEST['action']);
+if ( isset($_REQUEST['request']) ) {
+    $request = detaintPath($_REQUEST['request']);
+    $request = validHtmlStr($request);
+}
+
+if ( isset($_REQUEST['action']) ) {
+    $action = detaintPath($_REQUEST['action']);
+    $action = validHtmlStr($action);
+}
 
 require_once( 'includes/actions.php' );
 
@@ -108,7 +117,6 @@
 
 if ( isset( $_REQUEST['request'] ) )
 {
-    $request = validHtmlStr($_REQUEST['request']);
     foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile )
     {
         if ( !file_exists( $includeFile ) )
