joshuacoles/wallos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: file upload bypass vulnerability (#181)

Browse Source
This commit is contained in:
Miguel Ribeiro 2024-03-02 15:58:22 +01:00 committed by GitHub
parent 2496cd7114
commit 0f7853f961
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 39 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
endpoints/payments/add.php
View File

@ -9,9 +9,15 @@
function sanitizeFilename($filename) { function sanitizeFilename($filename) {
$filename = preg_replace("/[^a-zA-Z0-9\s]/", "", $filename); $filename = preg_replace("/[^a-zA-Z0-9\s]/", "", $filename);
$filename = str_replace(" ", "-", $filename); $filename = str_replace(" ", "-", $filename);
$filename = str_replace(".", "", $filename);
return $filename; return $filename;
} }
function validateFileExtension($fileExtension) {
$allowedExtensions = ['png', 'jpg', 'jpeg', 'gif', 'jtif', 'webp'];
return in_array($fileExtension, $allowedExtensions);
}
function getLogoFromUrl($url, $uploadDir, $name) { function getLogoFromUrl($url, $uploadDir, $name) {
$ch = curl_init($url); $ch = curl_init($url);
@ -72,6 +78,7 @@
$timestamp = time(); $timestamp = time();
$originalFileName = $uploadedFile['name']; $originalFileName = $uploadedFile['name'];
$fileExtension = pathinfo($originalFileName, PATHINFO_EXTENSION); $fileExtension = pathinfo($originalFileName, PATHINFO_EXTENSION);
$fileExtension = validateFileExtension($fileExtension) ? $fileExtension : 'png';
$fileName = $timestamp . '-payments-' . sanitizeFilename($name) . '.' . $fileExtension; $fileName = $timestamp . '-payments-' . sanitizeFilename($name) . '.' . $fileExtension;
$uploadFile = $uploadDir . $fileName; $uploadFile = $uploadDir . $fileName;
@ -87,6 +94,10 @@
$image = imagecreatefrompng($uploadFile); $image = imagecreatefrompng($uploadFile);
} elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') { } elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
$image = imagecreatefromjpeg($uploadFile); $image = imagecreatefromjpeg($uploadFile);
} elseif ($fileExtension === 'gif') {
$image = imagecreatefromgif($uploadFile);
} elseif ($fileExtension === 'webp') {
$image = imagecreatefromwebp($uploadFile);
} else { } else {
// Handle other image formats as needed // Handle other image formats as needed
return ""; return "";
@ -120,6 +131,10 @@
imagepng($resizedImage, $uploadFile); imagepng($resizedImage, $uploadFile);
} elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') { } elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
imagejpeg($resizedImage, $uploadFile); imagejpeg($resizedImage, $uploadFile);
} elseif ($fileExtension === 'gif') {
imagegif($resizedImage, $uploadFile);
} elseif ($fileExtension === 'webp') {
imagewebp($resizedImage, $uploadFile);
} else { } else {
return ""; return "";
} }

15
endpoints/subscription/add.php
View File

@ -9,9 +9,15 @@
function sanitizeFilename($filename) { function sanitizeFilename($filename) {
$filename = preg_replace("/[^a-zA-Z0-9\s]/", "", $filename); $filename = preg_replace("/[^a-zA-Z0-9\s]/", "", $filename);
$filename = str_replace(" ", "-", $filename); $filename = str_replace(" ", "-", $filename);
$filename = str_replace(".", "", $filename);
return $filename; return $filename;
} }
function validateFileExtension($fileExtension) {
$allowedExtensions = ['png', 'jpg', 'jpeg', 'gif', 'webp'];
return in_array($fileExtension, $allowedExtensions);
}
function getLogoFromUrl($url, $uploadDir, $name) { function getLogoFromUrl($url, $uploadDir, $name) {
$ch = curl_init($url); $ch = curl_init($url);
@ -72,6 +78,7 @@
$timestamp = time(); $timestamp = time();
$originalFileName = $uploadedFile['name']; $originalFileName = $uploadedFile['name'];
$fileExtension = pathinfo($originalFileName, PATHINFO_EXTENSION); $fileExtension = pathinfo($originalFileName, PATHINFO_EXTENSION);
$fileExtension = validateFileExtension($fileExtension) ? $fileExtension : 'png';
$fileName = $timestamp . '-' . sanitizeFilename($name) . '.' . $fileExtension; $fileName = $timestamp . '-' . sanitizeFilename($name) . '.' . $fileExtension;
$uploadFile = $uploadDir . $fileName; $uploadFile = $uploadDir . $fileName;
@ -87,6 +94,10 @@
$image = imagecreatefrompng($uploadFile); $image = imagecreatefrompng($uploadFile);
} elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') { } elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
$image = imagecreatefromjpeg($uploadFile); $image = imagecreatefromjpeg($uploadFile);
} elseif ($fileExtension === 'gif') {
$image = imagecreatefromgif($uploadFile);
} elseif ($fileExtension === 'webp') {
$image = imagecreatefromwebp($uploadFile);
} else { } else {
// Handle other image formats as needed // Handle other image formats as needed
return ""; return "";
@ -120,6 +131,10 @@
imagepng($resizedImage, $uploadFile); imagepng($resizedImage, $uploadFile);
} elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') { } elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
imagejpeg($resizedImage, $uploadFile); imagejpeg($resizedImage, $uploadFile);
} elseif ($fileExtension === 'gif') {
imagegif($resizedImage, $uploadFile);
} elseif ($fileExtension === 'webp') {
imagewebp($resizedImage, $uploadFile);
} else { } else {
return ""; return "";
} }

2
includes/version.php
View File

@ -1,3 +1,3 @@
<?php <?php
$version = "v1.11.0"; $version = "v1.11.2";
?> ?>

2
index.php
View File

@ -135,7 +135,7 @@
<label for="logo" class="logo-preview"> <label for="logo" class="logo-preview">
<img src="" alt="<?= translate('logo_preview', $i18n) ?>" id="form-logo"> <img src="" alt="<?= translate('logo_preview', $i18n) ?>" id="form-logo">
</label> </label>
<input type="file" id="logo" name="logo" accept="image/jpeg, image/png" onchange="handleFileSelect(event)" class="hidden-input"> <input type="file" id="logo" name="logo" accept="image/jpeg, image/png, image/gif, image/webp" onchange="handleFileSelect(event)" class="hidden-input">
<input type="hidden" id="logo-url" name="logo-url"> <input type="hidden" id="logo-url" name="logo-url">
<div id="logo-search-button" class="image-button medium disabled" title="<?= translate('search_logo', $i18n) ?>" onClick="searchLogo()"> <div id="logo-search-button" class="image-button medium disabled" title="<?= translate('search_logo', $i18n) ?>" onClick="searchLogo()">
<img src="images/siteicons/websearch.png"> <img src="images/siteicons/websearch.png">

5
nginx.conf
View File

@ -42,6 +42,11 @@ http {
deny all; deny all;
return 403; return 403;
} }
location ~* images/uploads/logos/.*\.php$ {
deny all;
return 403;
}
} }
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;

6
settings.php
View File

@ -506,9 +506,7 @@
<?php <?php
if ($payment['id'] > 31 && !$inUse) { if ($payment['id'] > 31 && !$inUse) {
?> ?>
<div class="delete-payment-method" title="<?= translate('delete', $i18n) ?>" data-paymentid="<?= $payment['id'] ?>"> <div class="delete-payment-method" title="<?= translate('delete', $i18n) ?>" data-paymentid="<?= $payment['id'] ?>">x</div>
x
</div>
<?php <?php
} }
?> ?>
@ -534,7 +532,7 @@
<img src="" alt="<?= translate('logo_preview', $i18n) ?>" id="form-icon"> <img src="" alt="<?= translate('logo_preview', $i18n) ?>" id="form-icon">
</label> </label>
<div class="form-icon-search"> <div class="form-icon-search">
<input type="file" id="paymenticon" name="paymenticon" accept="image/jpeg, image/png" onchange="handleFileSelect(event)" class="hidden-input"> <input type="file" id="paymenticon" name="paymenticon" accept="image/jpeg, image/png, image/gif, image/webp" onchange="handleFileSelect(event)" class="hidden-input">
<input type="hidden" id="icon-url" name="icon-url"> <input type="hidden" id="icon-url" name="icon-url">
<div id="icon-search-button" class="image-button medium disabled" title="<?= translate('search_logo', $i18n) ?>" onClick="searchPaymentIcon()"> <div id="icon-search-button" class="image-button medium disabled" title="<?= translate('search_logo', $i18n) ?>" onClick="searchPaymentIcon()">
<img src="images/siteicons/websearch.png"> <img src="images/siteicons/websearch.png">