Skip to content
Permalink
Browse files

[VD:abstract,Security] fix command injection vulnerability of PHP con…

…nector

We express special thanks to Thomas Chauchefoin (Synacktiv), the reporter of this vulnerability.
  • Loading branch information...
nao-pon committed Feb 26, 2019
1 parent 0e5546a commit 374c88d7030eb92749267e17a4af21cc7520efa5
Showing with 6 additions and 6 deletions.
  1. +6 −6 php/elFinderVolumeDriver.class.php
@@ -3476,7 +3476,7 @@ public function ffmpegToImg($file, $stat, $self, $ss = null)
$ss = $this->options['tmbVideoConvSec'];
}
}
$cmd = sprintf(ELFINDER_FFMPEG_PATH . ' -i %s -ss 00:00:%.3f -vframes 1 -f image2 %s', escapeshellarg($tmp), $ss, escapeshellarg($file));
$cmd = sprintf(ELFINDER_FFMPEG_PATH . ' -i %s -ss 00:00:%.3f -vframes 1 -f image2 -- %s', escapeshellarg($tmp), $ss, escapeshellarg($file));
$r = ($this->procExec($cmd) === 0);
clearstatcache();
if ($r && $ss > 0 && !file_exists($file)) {
@@ -5463,7 +5463,7 @@ protected function createTmb($path, $stat)
}
} else if ($this->imgLib === 'convert') {
$convParams = $this->imageMagickConvertPrepare($tmb, 'png', 100, array(), $stat['mime']);
$cmd = sprintf('%s -colorspace sRGB -trim %s %s', ELFINDER_CONVERT_PATH, $convParams['quotedPath'], $convParams['quotedDstPath']);
$cmd = sprintf('%s -colorspace sRGB -trim -- %s %s', ELFINDER_CONVERT_PATH, $convParams['quotedPath'], $convParams['quotedDstPath']);
$result = false;
if ($this->procExec($cmd) === 0) {
if (($s = getimagesize($tmb)) !== false) {
@@ -6004,10 +6004,10 @@ protected function imgRotate($path, $degree, $bgcolor = '#ffffff', $destformat =
$quotedPath = escapeshellarg($path);
$cmds = array();
if ($this->procExec(ELFINDER_EXIFTRAN_PATH . ' -h') === 0) {
$cmds[] = ELFINDER_EXIFTRAN_PATH . ' -i ' . $exiftran[$count] . ' ' . $path;
$cmds[] = ELFINDER_EXIFTRAN_PATH . ' -i ' . $exiftran[$count] . ' -- ' . $quotedPath;
}
if ($this->procExec(ELFINDER_JPEGTRAN_PATH . ' -version') === 0) {
$cmds[] = ELFINDER_JPEGTRAN_PATH . ' -rotate ' . $jpegtran[$count] . ' -copy all -outfile ' . $quotedPath . ' ' . $quotedPath;
$cmds[] = ELFINDER_JPEGTRAN_PATH . ' -rotate ' . $jpegtran[$count] . ' -copy all -outfile ' . $quotedPath . ' -- ' . $quotedPath;
}
foreach ($cmds as $cmd) {
if ($this->procExec($cmd) === 0) {
@@ -6067,7 +6067,7 @@ protected function imgRotate($path, $degree, $bgcolor = '#ffffff', $destformat =
if ($s[2] === IMAGETYPE_GIF || $s[2] === IMAGETYPE_PNG) {
$bgcolor = 'rgba(255, 255, 255, 0.0)';
}
$cmd = sprintf('%s %s%s%s%s -background "%s" -rotate %d%s %s', ELFINDER_CONVERT_PATH, $quotedPath, $coalesce, $jpgQuality, $interlace, $bgcolor, $degree, $deconstruct, $quotedDstPath);
$cmd = sprintf('%s%s%s%s -background "%s" -rotate %d%s -- %s %s', ELFINDER_CONVERT_PATH, $coalesce, $jpgQuality, $interlace, $bgcolor, $degree, $deconstruct, $quotedPath, $quotedDstPath);
$result = false;
if ($this->procExec($cmd) === 0) {
@@ -6420,7 +6420,7 @@ protected function imageMagickConvertPrepare($path, $destformat, $jpgQuality, $i
$srcType = $this->getExtentionByMime($mime, ':');
$ani = false;
if (preg_match('/^(?:gif|png|ico)/', $srcType)) {
$cmd = ELFINDER_IDENTIFY_PATH . ' ' . escapeshellarg($srcType . $path);
$cmd = ELFINDER_IDENTIFY_PATH . ' -- ' . escapeshellarg($srcType . $path);
if ($this->procExec($cmd, $o) === 0) {
$ani = preg_split('/(?:\r\n|\n|\r)/', trim($o));
if (count($ani) < 2) {

0 comments on commit 374c88d

Please sign in to comment.
You can’t perform that action at this time.