Dev Refixed issue #15782: Remote Code Execution (RCE) in template opt…

…ions file uploader - this time properly
LimeSurvey · Jan 6, 2021 · 756c168 · 756c168 · Shnoulle · Jan 11, 2021
1 parent 8ed5460
commit 756c168
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 7 deletions.
diff --git a/application/config/config-defaults.php b/application/config/config-defaults.php
@@ -85,7 +85,8 @@
 $config['customassetversionnumber']  = 1;        // Used to generate the path of tmp assets (see: LSYii_AssetManager::generatePath()  )
 
 // Please be very careful if you want to allow SVG files - there are several XSS dangerous security issues
-$config['allowedthemeuploads'] = 'gif,ico,jpg,png,css,js,map,json,eot,ttf,woff,txt,md,xml,woff2,twig'; // File types allowed to be uploaded in the themes section.
+$config['allowedthemeimageformats'] = 'gif,ico,jpg,png'; // Image file types allowed to be uploaded in the themes section.
+$config['allowedthemeuploads'] = 'css,js,map,json,eot,ttf,woff,txt,md,xml,woff2,twig'; // Other file types allowed to be uploaded in the themes section.
 $config['allowedresourcesuploads'] = '7z,aiff,asf,avi,bmp,csv,doc,docx,fla,flv,gif,gz,gzip,ico,jpeg,jpg,mid,mov,mp3,mp4,mpc,mpeg,mpg,ods,odt,pdf,png,ppt,pxd,qt,ram,rar,rm,rmi,rmvb,rtf,sdc,sitd,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav,wma,wmv,xls,xlsx,xml,zip,css,js'; // File types allowed to be uploaded in the resources sections, and with the HTML Editor
 
 $config['memory_limit'] = '256'; // This sets how much memory LimeSurvey can access in megabytes. 256 MB is the minimum recommended - if you are using PDF functions up to 512 MB may be needed

diff --git a/application/controllers/admin/themes.php b/application/controllers/admin/themes.php
@@ -391,7 +391,7 @@ public function uploadfile()
             LSUploadHelper::checkUploadedFileSizeAndRedirect('upload_file', $redirectUrl);
 
             $oEditedTemplate        = Template::getInstance($templatename);
-            $allowedthemeuploads = Yii::app()->getConfig('allowedthemeuploads');
+            $allowedthemeuploads = Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats');
             $filename               = sanitize_filename($_FILES['upload_file']['name'], false, false, false); // Don't force lowercase or alphanumeric
             $dirfilepath            = $oEditedTemplate->filesPath;
 

diff --git a/application/core/LSYii_ImageValidator.php b/application/core/LSYii_ImageValidator.php
@@ -27,11 +27,13 @@ public static function validateImage($file)
     {
         if (is_array($file)) {
             $path = $file['tmp_name'];
+            $extension = pathinfo($file['name'], PATHINFO_EXTENSION);
             $type = $file['type'];
         } elseif (is_string($file)) {
             $parts = explode('.', $file);
             $path = $file;
-            $type = 'image/' . $parts[count($parts) - 1];
+            $extension = pathinfo($file, PATHINFO_EXTENSION);
+            $type = 'image/' . $extension;
         } else {
             return [
                 // No translation ? send $file ?
@@ -62,13 +64,13 @@ public static function validateImage($file)
         );
 
         if (!empty($checkImage)
+            && in_array($extension,explode(",",Yii::app()->getConfig('allowedthemeimageformats')))
             && in_array($checkImage, $allowedImageFormats)
             && in_array(strtolower($type), $allowedImageFormats)) {
             $result['uploadresult'] = '';
             $result['check'] = true;
         } else {
-            $result['uploadresult'] =
-                gT("This file is not a supported image - please only upload JPG,PNG,GIF or SVG type images.");
+            $result['uploadresult'] = gT("This file is not a supported image - please only upload JPG,PNG,GIF or SVG type images.");
             $result['check'] = false;
         }
         return $result;

diff --git a/application/helpers/admin/template_helper.php b/application/helpers/admin/template_helper.php
@@ -129,7 +129,7 @@ function is_template_editable($templatename)
 */
 function templateExtractFilter($p_event, &$p_header)
 {
-    $aAllowExtensions = explode(',', Yii::app()->getConfig('allowedthemeuploads'));
+    $aAllowExtensions = explode(',', Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats'));
     $aAllowExtensions[] = 'twig';
     $info = pathinfo($p_header['filename']);
 

diff --git a/application/views/admin/themes/templateeditorbar_view.php b/application/views/admin/themes/templateeditorbar_view.php
@@ -28,7 +28,7 @@ function copyprompt(text, defvalue, copydirectory, action)
             if(filename==""){
                 return false; // False click
             }
-            var allowedtypes=',<?php echo Yii::app()->getConfig('allowedthemeuploads'); ?>,';
+            var allowedtypes=',<?php echo Yii::app()->getConfig('allowedthemeuploads').','.Yii::app()->getConfig('allowedthemeimageformats'); ?>,';
             var lastdotpos=-1;
             var ext='';
             if ((lastdotpos=filename.lastIndexOf('.')) < 0)