New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed #7920 - "File contains dangerous PHP" #8666
Fixed #7920 - "File contains dangerous PHP" #8666
Conversation
app/Fields/File.php
Outdated
if (($type && $type === 'image') || $this->getShortMimeType(0) === 'image') { | ||
$this->validateImage(); | ||
$this->validateCodeInjectionInMetadata(); | ||
} else { | ||
$this->validateCodeInjection(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
app/Fields/File.php
Outdated
$returnVal = false; | ||
} | ||
} else { | ||
if (@imagecreatefromstring($this->getContents()) === false) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
app/Fields/File.php
Outdated
$img->clear(); | ||
$img->destroy(); | ||
} else { | ||
$img = @\imagecreatefromstring(\file_get_contents($fileImgIn)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
app/Fields/File.php
Outdated
} else { | ||
$img = @\imagecreatefromstring(\file_get_contents($fileImgIn)); | ||
if ($img === false) { | ||
throw new \App\Exceptions\AppException('Wrong file type'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
app/Fields/File.php
Outdated
if (extension_loaded('imagick')) { | ||
try { | ||
$img = new \imagick($this->path); | ||
$img->valid(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
app/Fields/File.php
Outdated
} | ||
|
||
/** | ||
* Validate code injection. | ||
* | ||
* @throws \Exception | ||
*/ | ||
private function validateCodeInjection() | ||
public function validateCodeInjection() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public function validateCodeInjection() | |
private function validateCodeInjection() |
app/Fields/File.php
Outdated
stripos($contents, '<? ') !== false || | ||
stripos($contents, '<% ') !== false || | ||
stripos($contents, '<?xpacket') !== false | ||
) { | ||
throw new \App\Exceptions\AppException('ERR_FILE_PHP_CODE_INJECTION'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\App\Exceptions\DangerousFile
app/Fields/File.php
Outdated
(empty($imageInfo['APP1']) || strpos($imageInfo['APP1'], 'Exif') === 0) && | ||
($exifdata = exif_read_data($this->path)) && !$this->validateImageMetadata($exifdata) | ||
) { | ||
throw new \App\Exceptions\AppException('ERR_FILE_PHP_CODE_INJECTION'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\App\Exceptions\DangerousFile
app/Fields/File.php
Outdated
@@ -420,29 +444,56 @@ private function validateImage() | |||
if (preg_match('[\x01-\x08\x0c-\x1f]', $this->getContents())) { | |||
throw new \App\Exceptions\AppException('ERR_FILE_WRONG_IMAGE'); | |||
} | |||
$this->validateCodeInjectionInMetadata(); | |||
if (!$this->validateImageContent()) { | |||
throw new \App\Exceptions\AppException('ERR_FILE_WRONG_IMAGE ||' . $this->validateError); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\App\Exceptions\DangerousFile
app/Fields/File.php
Outdated
} | ||
if ($type && $this->getShortMimeType(0) !== $type) { | ||
throw new \App\Exceptions\AppException('Wrong file type'); | ||
throw new \App\Exceptions\AppException('ERR_FILE_ILLEGAL_FORMAT'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\App\Exceptions\DangerousFile
app/Fields/File.php
Outdated
$img = new \imagick($fileImgIn); | ||
$img->stripImage(); | ||
$img->setImageCompression(\Imagick::COMPRESSION_JPEG); | ||
$img->setImageCompressionQuality(80); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$img->setImageCompressionQuality(80); | |
$img->setImageCompressionQuality(99); |
app/Fields/File.php
Outdated
$file = static::loadFromRequest($fileDetails); | ||
if (!$file->validate($type)) { | ||
$attach[] = ['name' => $file->getName(), 'error' => $file->validateError, 'hash' => $request->getByType('hash', 'Text')]; | ||
continue; | ||
if (!static::removeForbiddenTags($file->getPath(), $file->getPath())) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if (!static::removeForbiddenTags($file->getPath(), $file->getPath())) { | |
if (!static::removeForbiddenTags($file->getPath())) { |
app/Fields/File.php
Outdated
@@ -985,10 +1036,19 @@ public static function uploadAndSave(\App\Request $request, array $files, string | |||
$attach = []; | |||
foreach (static::transform($files, true) as $key => $transformFiles) { | |||
foreach ($transformFiles as $fileDetails) { | |||
$infoFile = ''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$infoFile = ''; | |
$additionalNotes = ''; |
app/Fields/File.php
Outdated
@@ -1006,7 +1066,8 @@ public static function uploadAndSave(\App\Request $request, array $files, string | |||
'name' => $file->getName(), | |||
'size' => \vtlib\Functions::showBytes($file->getSize()), | |||
'key' => $key, | |||
'hash' => $request->getByType('hash', 'string') | |||
'hash' => $request->getByType('hash', 'string'), | |||
'info' => $infoFile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'info' => $infoFile | |
'additionalNotes' => $additionalNotes |
$this->validateError = $e->getMessage(); | ||
$returnVal = false; | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
app/Fields/File.php
Outdated
$file = static::loadFromRequest($fileDetails); | ||
if (!$file->validate($type)) { | ||
$attach[] = ['name' => $file->getName(), 'error' => $file->validateError, 'hash' => $request->getByType('hash', 'Text')]; | ||
continue; | ||
if (!static::removeForbiddenTags($file->getPath())) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if (!static::removeForbiddenTags($file->getPath())) { | |
if (!static::removeForbiddenTags($file)) { |
app/Fields/File.php
Outdated
* | ||
* @return bool | ||
*/ | ||
public static function removeForbiddenTags(string $fileImgIn): bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public static function removeForbiddenTags(string $fileImgIn): bool | |
public static function removeForbiddenTags(string $file): bool |
app/Fields/File.php
Outdated
$result = false; | ||
if (extension_loaded('imagick')) { | ||
try { | ||
$img = new \imagick($fileImgIn); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$img = new \imagick($fileImgIn); | |
$img = new \imagick($file->getPath()); |
app/Fields/File.php
Outdated
try { | ||
$img = new \imagick($fileImgIn); | ||
$img->stripImage(); | ||
switch (strtolower(pathinfo($fileImgIn, PATHINFO_EXTENSION))) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
switch (strtolower(pathinfo($fileImgIn, PATHINFO_EXTENSION))) { | |
switch ($file->getExtension()) { |
app/Fields/File.php
Outdated
} else { | ||
$img = \imagecreatefromstring(\file_get_contents($fileImgIn)); | ||
if (false !== $img) { | ||
switch (strtolower(pathinfo($fileImgIn, PATHINFO_EXTENSION))) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
switch (strtolower(pathinfo($fileImgIn, PATHINFO_EXTENSION))) { | |
switch ($file->getExtension()) { |
@@ -169,6 +169,7 @@ | |||
"LBL_HELP_LDAP": "Protok\u00f3\u0142 u\u017cywany do uzyskiwania dost\u0119pu do baz danych przechowuj\u0105cych informacje w strukturze drzewa.", | |||
"LBL_HELP_OPCACHE": "Poprawia wydajno\u015b\u0107 poprzez przechowywanie skompilowanego kodu bajtowego w pami\u0119ci wsp\u00f3\u0142dzielonej.", | |||
"LBL_HELP_APCU": "", | |||
"LBL_HELP_IMAGICK": "Zaawansowana obr\u00f3bka zdje\u0107", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Biblioteka zalecana do zabezpieczania potencjalnie niebezpiecznych plików graficznych
languages/pl_pl/_Base.json
Outdated
@@ -227,6 +227,7 @@ | |||
"LBL_EXPORT_RECORDS": "Eksportuj rekordy", | |||
"LBL_EXPORT_SELECTED_RECORDS": "Eksportuj zaznaczone rekordy", | |||
"LBL_Feb": "Lut", | |||
"LBL_FILE_HAS_BEEN_MODIFIED": "Tw\u00f3j plik zosta\u0142 zmodyfikowany.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Plik został zmodyfikowany ponieważ zawierał niebezpieczny kod.
Fixed #7920 - "File contains dangerous PHP"