Skip to content

Commit

Permalink
fix: file upload bypass vulnerability (#181)
Browse files Browse the repository at this point in the history
  • Loading branch information
ellite authored Mar 2, 2024
1 parent 2496cd7 commit 0f7853f
Show file tree
Hide file tree
Showing 6 changed files with 39 additions and 6 deletions.
15 changes: 15 additions & 0 deletions endpoints/payments/add.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,15 @@
function sanitizeFilename($filename) {
$filename = preg_replace("/[^a-zA-Z0-9\s]/", "", $filename);
$filename = str_replace(" ", "-", $filename);
$filename = str_replace(".", "", $filename);
return $filename;
}

function validateFileExtension($fileExtension) {
$allowedExtensions = ['png', 'jpg', 'jpeg', 'gif', 'jtif', 'webp'];
return in_array($fileExtension, $allowedExtensions);
}

function getLogoFromUrl($url, $uploadDir, $name) {

$ch = curl_init($url);
Expand Down Expand Up @@ -72,6 +78,7 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
$timestamp = time();
$originalFileName = $uploadedFile['name'];
$fileExtension = pathinfo($originalFileName, PATHINFO_EXTENSION);
$fileExtension = validateFileExtension($fileExtension) ? $fileExtension : 'png';
$fileName = $timestamp . '-payments-' . sanitizeFilename($name) . '.' . $fileExtension;
$uploadFile = $uploadDir . $fileName;

Expand All @@ -87,6 +94,10 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
$image = imagecreatefrompng($uploadFile);
} elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
$image = imagecreatefromjpeg($uploadFile);
} elseif ($fileExtension === 'gif') {
$image = imagecreatefromgif($uploadFile);
} elseif ($fileExtension === 'webp') {
$image = imagecreatefromwebp($uploadFile);
} else {
// Handle other image formats as needed
return "";
Expand Down Expand Up @@ -120,6 +131,10 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
imagepng($resizedImage, $uploadFile);
} elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
imagejpeg($resizedImage, $uploadFile);
} elseif ($fileExtension === 'gif') {
imagegif($resizedImage, $uploadFile);
} elseif ($fileExtension === 'webp') {
imagewebp($resizedImage, $uploadFile);
} else {
return "";
}
Expand Down
15 changes: 15 additions & 0 deletions endpoints/subscription/add.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,15 @@
function sanitizeFilename($filename) {
$filename = preg_replace("/[^a-zA-Z0-9\s]/", "", $filename);
$filename = str_replace(" ", "-", $filename);
$filename = str_replace(".", "", $filename);
return $filename;
}

function validateFileExtension($fileExtension) {
$allowedExtensions = ['png', 'jpg', 'jpeg', 'gif', 'webp'];
return in_array($fileExtension, $allowedExtensions);
}

function getLogoFromUrl($url, $uploadDir, $name) {

$ch = curl_init($url);
Expand Down Expand Up @@ -72,6 +78,7 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
$timestamp = time();
$originalFileName = $uploadedFile['name'];
$fileExtension = pathinfo($originalFileName, PATHINFO_EXTENSION);
$fileExtension = validateFileExtension($fileExtension) ? $fileExtension : 'png';
$fileName = $timestamp . '-' . sanitizeFilename($name) . '.' . $fileExtension;
$uploadFile = $uploadDir . $fileName;

Expand All @@ -87,6 +94,10 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
$image = imagecreatefrompng($uploadFile);
} elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
$image = imagecreatefromjpeg($uploadFile);
} elseif ($fileExtension === 'gif') {
$image = imagecreatefromgif($uploadFile);
} elseif ($fileExtension === 'webp') {
$image = imagecreatefromwebp($uploadFile);
} else {
// Handle other image formats as needed
return "";
Expand Down Expand Up @@ -120,6 +131,10 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
imagepng($resizedImage, $uploadFile);
} elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
imagejpeg($resizedImage, $uploadFile);
} elseif ($fileExtension === 'gif') {
imagegif($resizedImage, $uploadFile);
} elseif ($fileExtension === 'webp') {
imagewebp($resizedImage, $uploadFile);
} else {
return "";
}
Expand Down
2 changes: 1 addition & 1 deletion includes/version.php
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
<?php
$version = "v1.11.0";
$version = "v1.11.2";
?>
2 changes: 1 addition & 1 deletion index.php
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@
<label for="logo" class="logo-preview">
<img src="" alt="<?= translate('logo_preview', $i18n) ?>" id="form-logo">
</label>
<input type="file" id="logo" name="logo" accept="image/jpeg, image/png" onchange="handleFileSelect(event)" class="hidden-input">
<input type="file" id="logo" name="logo" accept="image/jpeg, image/png, image/gif, image/webp" onchange="handleFileSelect(event)" class="hidden-input">
<input type="hidden" id="logo-url" name="logo-url">
<div id="logo-search-button" class="image-button medium disabled" title="<?= translate('search_logo', $i18n) ?>" onClick="searchLogo()">
<img src="images/siteicons/websearch.png">
Expand Down
5 changes: 5 additions & 0 deletions nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@ http {
deny all;
return 403;
}

location ~* images/uploads/logos/.*\.php$ {
deny all;
return 403;
}
}

include /etc/nginx/conf.d/*.conf;
Expand Down
6 changes: 2 additions & 4 deletions settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -506,9 +506,7 @@
<?php
if ($payment['id'] > 31 && !$inUse) {
?>
<div class="delete-payment-method" title="<?= translate('delete', $i18n) ?>" data-paymentid="<?= $payment['id'] ?>">
x
</div>
<div class="delete-payment-method" title="<?= translate('delete', $i18n) ?>" data-paymentid="<?= $payment['id'] ?>">x</div>
<?php
}
?>
Expand All @@ -534,7 +532,7 @@
<img src="" alt="<?= translate('logo_preview', $i18n) ?>" id="form-icon">
</label>
<div class="form-icon-search">
<input type="file" id="paymenticon" name="paymenticon" accept="image/jpeg, image/png" onchange="handleFileSelect(event)" class="hidden-input">
<input type="file" id="paymenticon" name="paymenticon" accept="image/jpeg, image/png, image/gif, image/webp" onchange="handleFileSelect(event)" class="hidden-input">
<input type="hidden" id="icon-url" name="icon-url">
<div id="icon-search-button" class="image-button medium disabled" title="<?= translate('search_logo', $i18n) ?>" onClick="searchPaymentIcon()">
<img src="images/siteicons/websearch.png">
Expand Down

0 comments on commit 0f7853f

Please sign in to comment.