From e67a75805cf68365e1b2abc99f18b63d33811a16 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Fri, 12 May 2023 15:24:57 -0400
Subject: [PATCH] Fix: Authenticated users can craft a POST request to delete
 any file on the webserver. Thank you @ bhopkins0

---
 client_contact_edit_modal.php  |  1 -
 client_location_edit_modal.php |  2 +-
 expense_edit_modal.php         |  1 -
 post.php                       | 36 +++++++++++++++++++++++++++-------
 settings_company.php           |  1 -
 user_edit_modal.php            |  1 -
 user_profile.php               |  1 -
 7 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/client_contact_edit_modal.php b/client_contact_edit_modal.php
index 86e799a5..6aa09f57 100644
--- a/client_contact_edit_modal.php
+++ b/client_contact_edit_modal.php
@@ -16,7 +16,6 @@
                 <!-- End prevent undefined errors -->
                 <input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
                 <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
-                <input type="hidden" name="existing_file_name" value="<?php echo $contact_photo; ?>">
                 <div class="modal-body bg-white">
 
                     <ul class="nav nav-pills nav-justified mb-3">
diff --git a/client_location_edit_modal.php b/client_location_edit_modal.php
index c919e5c6..d3db4b17 100644
--- a/client_location_edit_modal.php
+++ b/client_location_edit_modal.php
@@ -10,7 +10,7 @@
             <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
                 <input type="hidden" name="location_id" value="<?php echo $location_id; ?>">
                 <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
-                <input type="hidden" name="existing_file_name" value="<?php echo $location_photo; ?>">
+                
                 <div class="modal-body bg-white">
 
                     <ul class="nav nav-pills nav-justified mb-3">
diff --git a/expense_edit_modal.php b/expense_edit_modal.php
index f0b2a941..b51212c0 100644
--- a/expense_edit_modal.php
+++ b/expense_edit_modal.php
@@ -10,7 +10,6 @@
             <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
                 <div class="modal-body bg-white">
                     <input type="hidden" name="expense_id" value="<?php echo $expense_id; ?>">
-                    <input type="hidden" name="existing_file_name" value="<?php echo $expense_receipt; ?>">
 
                     <div class="form-row">
 
diff --git a/post.php b/post.php
index 8e42ef1a..fc608b10 100644
--- a/post.php
+++ b/post.php
@@ -92,7 +92,11 @@ if(isset($_POST['edit_user'])){
     $user_id = intval($_POST['user_id']);
     $new_password = trim($_POST['new_password']);
 
-    $existing_file_name = sanitizeInput($_POST['existing_file_name']);
+    // Get current Avatar
+    $sql = mysqli_query($mysqli,"SELECT user_avatar FROM users WHERE user_id = $user_id");
+    $row = mysqli_fetch_array($sql);
+    $existing_file_name = sanitizeInput($row['user_avatar']);
+
     $extended_log_description = '';
     if(!empty($_POST['2fa'])) {
         $two_fa = $_POST['2fa'];
@@ -294,7 +298,11 @@ if(isset($_POST['edit_profile'])){
     $name = sanitizeInput($_POST['name']);
     $email = sanitizeInput($_POST['email']);
     $new_password = trim($_POST['new_password']);
-    $existing_file_name = sanitizeInput($_POST['existing_file_name']);
+    
+    $sql = mysqli_query($mysqli,"SELECT user_avatar FROM users WHERE user_id = $user_id");
+    $row = mysqli_fetch_array($sql);
+    $existing_file_name = sanitizeInput($row['user_avatar']);
+
     $logout = false;
     $extended_log_description = '';
 
@@ -478,7 +486,9 @@ if(isset($_POST['edit_company'])){
 
     validateAdminRole();
 
-    $existing_file_name = sanitizeInput($_POST['existing_file_name']);
+    $sql = mysqli_query($mysqli,"SELECT company_logo FROM companies WHERE company_id = 1");
+    $row = mysqli_fetch_array($sql);
+    $existing_file_name = sanitizeInput($row['company_logo']);
 
     // Check to see if a file is attached
     if($_FILES['file']['tmp_name'] != ''){
@@ -2733,8 +2743,11 @@ if(isset($_POST['edit_expense'])){
     require_once('models/expense.php');
 
     $expense_id = intval($_POST['expense_id']);
-    $existing_file_name = sanitizeInput($_POST['existing_file_name']);
-
+    
+    // Get old receipt
+    $sql = mysqli_query($mysqli,"SELECT expense_receipt FROM expenses WHERE expense_id = $expense_id");
+    $row = mysqli_fetch_array($sql);
+    $existing_file_name = sanitizeInput($row['expense_receipt']);
 
     // Check for and process attachment
     $extended_alert_description = '';
@@ -4233,7 +4246,12 @@ if(isset($_POST['edit_contact'])){
     require_once('models/contact.php');
 
     $contact_id = intval($_POST['contact_id']);
-    $existing_file_name = sanitizeInput($_POST['existing_file_name']);
+
+    // Get Exisiting Contact Photo
+    $sql = mysqli_query($mysqli,"SELECT contact_photo FROM contacts WHERE contact_id = $contact_id");
+    $row = mysqli_fetch_array($sql);
+    $existing_file_name = sanitizeInput($row['contact_photo']);
+
 
     if(!file_exists("uploads/clients/$client_id")) {
         mkdir("uploads/clients/$client_id");
@@ -4600,7 +4618,11 @@ if(isset($_POST['edit_location'])){
 
     $location_id = intval($_POST['location_id']);
 
-    $existing_file_name = sanitizeInput($_POST['existing_file_name']);
+    // Get old location photo
+    $sql = mysqli_query($mysqli,"SELECT location_photo FROM locations WHERE location_id = $location_id");
+    $row = mysqli_fetch_array($sql);
+    $existing_file_name = sanitizeInput($row['location_photo']);
+
 
     if(!file_exists("uploads/clients/$client_id")) {
         mkdir("uploads/clients/$client_id");
diff --git a/settings_company.php b/settings_company.php
index f2535d46..7f0c913d 100644
--- a/settings_company.php
+++ b/settings_company.php
@@ -28,7 +28,6 @@ $company_initials = nullable_htmlentities(initials($company_name));
         </div>
         <div class="card-body">
             <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
-                <input type="hidden" name="existing_file_name" value="<?php echo $company_logo; ?>">
 
                 <div class="form-group">
                     <label>Name <strong class="text-danger">*</strong></label>
diff --git a/user_edit_modal.php b/user_edit_modal.php
index f715182d..90e54460 100644
--- a/user_edit_modal.php
+++ b/user_edit_modal.php
@@ -11,7 +11,6 @@
             <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
                 <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
                 <input type="hidden" name="user_id" value="<?php echo $user_id; ?>">
-                <input type="hidden" name="existing_file_name" value="<?php echo "$user_avatar"; ?>">
                 <div class="modal-body bg-white">
 
                     <center class="mb-3">
diff --git a/user_profile.php b/user_profile.php
index 38083e93..9830e1c4 100644
--- a/user_profile.php
+++ b/user_profile.php
@@ -23,7 +23,6 @@ $sql_recent_logs = mysqli_query($mysqli, "SELECT * FROM logs
 
                 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
                     <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
-                    <input type="hidden" name="existing_file_name" value="<?php echo nullable_htmlentities($session_avatar); ?>">
 
                     <center class="mb-3 px-5">
                         <?php if (empty($session_avatar)) { ?>