Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings

pull/7357/head
Aleksander Machniak 5 years ago
parent 87e4cd0cf2
commit 4951d6603a

@ -42,6 +42,7 @@ CHANGELOG Roundcube Webmail
- Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331) - Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
- Fix so Print button for PDF attachments works on Firefox >= 75 (#5125) - Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
- Security: Fix XSS issue in handling of CDATA in HTML messages - Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
RELEASE 1.4.3 RELEASE 1.4.3
------------- -------------

@ -158,7 +158,8 @@ class rcube_image
'size' => $width . 'x' . $height, 'size' => $width . 'x' . $height,
); );
$result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip' $result = rcube::exec(escapeshellcmd($convert)
. ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
. ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p); . ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p);
} }
// use PHP's Imagick class // use PHP's Imagick class
@ -323,7 +324,8 @@ class rcube_image
$p['out'] = $filename; $p['out'] = $filename;
$p['type'] = self::$extensions[$type]; $p['type'] = self::$extensions[$type];
$result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p); $result = rcube::exec(escapeshellcmd($convert)
. ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
if ($result === '') { if ($result === '') {
chmod($filename, 0600); chmod($filename, 0600);
@ -419,7 +421,7 @@ class rcube_image
// use ImageMagick in command line // use ImageMagick in command line
if ($cmd = $rcube->config->get('im_identify_path')) { if ($cmd = $rcube->config->get('im_identify_path')) {
$args = array('in' => $this->image_file, 'format' => "%m %[fx:w] %[fx:h]"); $args = array('in' => $this->image_file, 'format' => "%m %[fx:w] %[fx:h]");
$id = rcube::exec($cmd. ' 2>/dev/null -format {format} {in}', $args); $id = rcube::exec(escapeshellcmd($cmd) . ' 2>/dev/null -format {format} {in}', $args);
if ($id) { if ($id) {
return explode(' ', strtolower($id)); return explode(' ', strtolower($id));

Loading…
Cancel
Save