diff --git a/CHANGELOG b/CHANGELOG index 33ca74f19..c00e86354 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -42,6 +42,7 @@ CHANGELOG Roundcube Webmail - Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331) - Fix so Print button for PDF attachments works on Firefox >= 75 (#5125) - Security: Fix XSS issue in handling of CDATA in HTML messages +- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings RELEASE 1.4.3 ------------- diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php index a47fd7f84..df36a34db 100644 --- a/program/lib/Roundcube/rcube_image.php +++ b/program/lib/Roundcube/rcube_image.php @@ -158,7 +158,8 @@ class rcube_image 'size' => $width . 'x' . $height, ); - $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip' + $result = rcube::exec(escapeshellcmd($convert) + . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip' . ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p); } // use PHP's Imagick class @@ -323,7 +324,8 @@ class rcube_image $p['out'] = $filename; $p['type'] = self::$extensions[$type]; - $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p); + $result = rcube::exec(escapeshellcmd($convert) + . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p); if ($result === '') { chmod($filename, 0600); @@ -419,7 +421,7 @@ class rcube_image // use ImageMagick in command line if ($cmd = $rcube->config->get('im_identify_path')) { $args = array('in' => $this->image_file, 'format' => "%m %[fx:w] %[fx:h]"); - $id = rcube::exec($cmd. ' 2>/dev/null -format {format} {in}', $args); + $id = rcube::exec(escapeshellcmd($cmd) . ' 2>/dev/null -format {format} {in}', $args); if ($id) { return explode(' ', strtolower($id));