Changelog

@@ -1,3 +1,11 @@
+2019-02-26  Naoki Sawada  <hypweb+elfinder@gmail.com>
+
+	* elFinder (2.1.48):
+		- [VD:abstract] fix animated image conversion on ImageMagick
+		- [Security,VD:abstract] fix command injection vulnerability of PHP connector
+			Special thanks to Thomas Chauchefoin (Synacktiv) for reporting this vulnerability.
+
+
 2019-02-25  Naoki Sawada  <hypweb+elfinder@gmail.com>
 
 	* elFinder (2.1.47):

README.md

@@ -1,7 +1,7 @@
 elFinder
 ========
 
-**WARNING: IF YOU HAVE OLDER (IN PARTICULAR 2.1.45 OR EARLIER) VERSIONS OF ELFINDER ON PUBLIC SERVERS, IT MAY CAUSE SERIOUS DAMAGE TO YOUR SERVER AND VISITED USER. YOU SHOULD UPDATE TO THE LATEST VERSION OR REMOVE IT FROM THE SERVER.**
+**WARNING: IF YOU HAVE OLDER (IN PARTICULAR 2.1.47 OR EARLIER) VERSIONS OF ELFINDER ON PUBLIC SERVERS, IT MAY CAUSE SERIOUS DAMAGE TO YOUR SERVER AND VISITED USER. YOU SHOULD UPDATE TO THE LATEST VERSION OR REMOVE IT FROM THE SERVER.**
 
 [![elFinder file manager for the Web](https://studio-42.github.io/elFinder/images/elFinderScr.png "elFinder file manager for the Web")](https://studio-42.github.io/elFinder/)
 
@@ -124,7 +124,7 @@ Installation
 Downloads
 ------------
 **Stable releases** ([Changelog](https://github.com/Studio-42/elFinder/blob/master/Changelog))
- + [elFinder 2.1.47](https://github.com/Studio-42/elFinder/archive/2.1.47.zip)
+ + [elFinder 2.1.48](https://github.com/Studio-42/elFinder/archive/2.1.48.zip)
  + [elFinder 2.0.9](https://github.com/Studio-42/elFinder/archive/2.0.9.zip) (deprecated)
 
 **Nightly builds**

css/elfinder.full.css

@@ -1,6 +1,6 @@
 /*!
  * elFinder - file manager for web
- * Version 2.1.47 (2019-02-25)
+ * Version 2.1.48 (2019-02-26)
  * http://elfinder.org
  * 
  * Copyright 2009-2019, Studio 42

js/elfinder.full.js

@@ -1,6 +1,6 @@
 /*!
  * elFinder - file manager for web
- * Version 2.1.47 (2019-02-25)
+ * Version 2.1.48 (2019-02-26)
  * http://elfinder.org
  * 
  * Copyright 2009-2019, Studio 42
@@ -10136,7 +10136,7 @@ if (!window.cancelAnimationFrame) {
  *
  * @type String
  **/
-elFinder.prototype.version = '2.1.47';
+elFinder.prototype.version = '2.1.48';
 
 
 

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "elfinder",
-	"version": "2.1.47",
+	"version": "2.1.48",
 	"description": "Open-source file manager for web, written in JavaScript using jQuery and jQuery UI.",
 	"author": "Studio-42 (https://github.com/Studio-42/elFinder)",
 	"license": "3-clauses BSD",

php/elFinder.class.php

@@ -32,7 +32,7 @@ class elFinder
      *
      * @var integer
      */
-    protected static $ApiRevision = 47;
+    protected static $ApiRevision = 48;
 
     /**
      * Storages (root dirs)

php/elFinderVolumeDriver.class.php

@@ -3476,7 +3476,7 @@ public function ffmpegToImg($file, $stat, $self, $ss = null)
                     $ss = $this->options['tmbVideoConvSec'];
                 }
             }
-            $cmd = sprintf(ELFINDER_FFMPEG_PATH . ' -i %s -ss 00:00:%.3f -vframes 1 -f image2 %s', escapeshellarg($tmp), $ss, escapeshellarg($file));
+            $cmd = sprintf(ELFINDER_FFMPEG_PATH . ' -i %s -ss 00:00:%.3f -vframes 1 -f image2 -- %s', escapeshellarg($tmp), $ss, escapeshellarg($file));
             $r = ($this->procExec($cmd) === 0);
             clearstatcache();
             if ($r && $ss > 0 && !file_exists($file)) {
@@ -5463,7 +5463,7 @@ protected function createTmb($path, $stat)
                 }
             } else if ($this->imgLib === 'convert') {
                 $convParams = $this->imageMagickConvertPrepare($tmb, 'png', 100, array(), $stat['mime']);
-                $cmd = sprintf('%s -colorspace sRGB -trim %s %s', ELFINDER_CONVERT_PATH, $convParams['quotedPath'], $convParams['quotedDstPath']);
+                $cmd = sprintf('%s -colorspace sRGB -trim -- %s %s', ELFINDER_CONVERT_PATH, $convParams['quotedPath'], $convParams['quotedDstPath']);
                 $result = false;
                 if ($this->procExec($cmd) === 0) {
                     if (($s = getimagesize($tmb)) !== false) {
@@ -6004,10 +6004,10 @@ protected function imgRotate($path, $degree, $bgcolor = '#ffffff', $destformat =
             $quotedPath = escapeshellarg($path);
             $cmds = array();
             if ($this->procExec(ELFINDER_EXIFTRAN_PATH . ' -h') === 0) {
-                $cmds[] = ELFINDER_EXIFTRAN_PATH . ' -i ' . $exiftran[$count] . ' ' . $path;
+                $cmds[] = ELFINDER_EXIFTRAN_PATH . ' -i ' . $exiftran[$count] . ' -- ' . $quotedPath;
             }
             if ($this->procExec(ELFINDER_JPEGTRAN_PATH . ' -version') === 0) {
-                $cmds[] = ELFINDER_JPEGTRAN_PATH . ' -rotate ' . $jpegtran[$count] . ' -copy all -outfile ' . $quotedPath . ' ' . $quotedPath;
+                $cmds[] = ELFINDER_JPEGTRAN_PATH . ' -rotate ' . $jpegtran[$count] . ' -copy all -outfile ' . $quotedPath . ' -- ' . $quotedPath;
             }
             foreach ($cmds as $cmd) {
                 if ($this->procExec($cmd) === 0) {
@@ -6067,7 +6067,7 @@ protected function imgRotate($path, $degree, $bgcolor = '#ffffff', $destformat =
                 if ($s[2] === IMAGETYPE_GIF || $s[2] === IMAGETYPE_PNG) {
                     $bgcolor = 'rgba(255, 255, 255, 0.0)';
                 }
-                $cmd = sprintf('%s %s%s%s%s -background "%s" -rotate %d%s %s', ELFINDER_CONVERT_PATH, $quotedPath, $coalesce, $jpgQuality, $interlace, $bgcolor, $degree, $deconstruct, $quotedDstPath);
+                $cmd = sprintf('%s%s%s%s -background "%s" -rotate %d%s -- %s %s', ELFINDER_CONVERT_PATH, $coalesce, $jpgQuality, $interlace, $bgcolor, $degree, $deconstruct, $quotedPath, $quotedDstPath);
 
                 $result = false;
                 if ($this->procExec($cmd) === 0) {
@@ -6205,8 +6205,8 @@ protected function procExec($command, &$output = '', &$return_var = -1, &$error_
             fclose($pipes[1]);
             fclose($pipes[2]);
 
-            $error_output = $tmpout;
-            $output = $tmperr;
+            $output = $tmpout;
+            $error_output = $tmperr;
             $return_var = proc_close($process);
 
         } else {
@@ -6420,7 +6420,7 @@ protected function imageMagickConvertPrepare($path, $destformat, $jpgQuality, $i
         $srcType = $this->getExtentionByMime($mime, ':');
         $ani = false;
         if (preg_match('/^(?:gif|png|ico)/', $srcType)) {
-            $cmd = ELFINDER_IDENTIFY_PATH . ' ' . escapeshellarg($srcType . $path);
+            $cmd = ELFINDER_IDENTIFY_PATH . ' -- ' . escapeshellarg($srcType . $path);
             if ($this->procExec($cmd, $o) === 0) {
                 $ani = preg_split('/(?:\r\n|\n|\r)/', trim($o));
                 if (count($ani) < 2) {
@@ -6430,13 +6430,13 @@ protected function imageMagickConvertPrepare($path, $destformat, $jpgQuality, $i
         }
         $coalesce = $index = $interlace = '';
         $deconstruct = ' +repage';
-        $index = '[0]';
-        if ($ani) {
+        if ($ani && $destformat !== 'png'/* not createTmb */) {
             if (is_null($destformat)) {
                 $coalesce = ' -coalesce -repage 0x0';
                 $deconstruct = ' +repage -deconstruct -layers optimize';
             } else if ($imageSize) {
                 if ($srcType === 'ico:') {
+                    $index = '[0]';
                     foreach ($ani as $_i => $_info) {
                         if (preg_match('/ (\d+)x(\d+) /', $_info, $m)) {
                             if ($m[1] == $imageSize[0] && $m[2] == $imageSize[1]) {
@@ -6447,6 +6447,8 @@ protected function imageMagickConvertPrepare($path, $destformat, $jpgQuality, $i
                     }
                 }
             }
+        } else {
+            $index = '[0]';
         }
         if ($imageSize && ($imageSize[2] === IMAGETYPE_JPEG || $imageSize[2] === IMAGETYPE_JPEG2000)) {
             $jpgQuality = ' -quality ' . $jpgQuality;