Fixed #7920 - "File contains dangerous PHP" #8666
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
arek1-618
added
✔ finished
mariuszkrzaczkowski
requested changes
Nov 23, 2018
app/Fields/File.php
Outdated
| if (($type && $type === 'image') || $this->getShortMimeType(0) === 'image') { | ||
| $this->validateImage(); | ||
| $this->validateCodeInjectionInMetadata(); | ||
| } else { | ||
| $this->validateCodeInjection(); |
app/Fields/File.php
Outdated
| $returnVal = false; | ||
| } | ||
| } else { | ||
| if (@imagecreatefromstring($this->getContents()) === false) { |
app/Fields/File.php
Outdated
| $img->clear(); | ||
| $img->destroy(); | ||
| } else { | ||
| $img = @\imagecreatefromstring(\file_get_contents($fileImgIn)); |
app/Fields/File.php
Outdated
| } else { | ||
| $img = @\imagecreatefromstring(\file_get_contents($fileImgIn)); | ||
| if ($img === false) { | ||
| throw new \App\Exceptions\AppException('Wrong file type'); |
rskrzypczak
added
🔧 AmendmentsRequired
arek1-618
added
✔ finished
mariuszkrzaczkowski
added
🔧 AmendmentsRequired
arek1-618
removed
the
🔧 AmendmentsRequired
app/Fields/File.php
Outdated
| if (extension_loaded('imagick')) { | ||
| try { | ||
| $img = new \imagick($this->path); | ||
| $img->valid(); |
app/Fields/File.php
Outdated
| } | ||
|
|
||
| /** | ||
| * Validate code injection. | ||
| * | ||
| * @throws \Exception | ||
| */ | ||
| private function validateCodeInjection() | ||
| public function validateCodeInjection() |
There was a problem hiding this comment.
Suggested change
| public function validateCodeInjection() | |
| private function validateCodeInjection() |
app/Fields/File.php
Outdated
| stripos($contents, '<? ') !== false || | ||
| stripos($contents, '<% ') !== false || | ||
| stripos($contents, '<?xpacket') !== false | ||
| ) { | ||
| throw new \App\Exceptions\AppException('ERR_FILE_PHP_CODE_INJECTION'); |
There was a problem hiding this comment.
\App\Exceptions\DangerousFile
app/Fields/File.php
Outdated
| (empty($imageInfo['APP1']) || strpos($imageInfo['APP1'], 'Exif') === 0) && | ||
| ($exifdata = exif_read_data($this->path)) && !$this->validateImageMetadata($exifdata) | ||
| ) { | ||
| throw new \App\Exceptions\AppException('ERR_FILE_PHP_CODE_INJECTION'); |
There was a problem hiding this comment.
\App\Exceptions\DangerousFile
app/Fields/File.php
Outdated
| @@ -420,29 +444,56 @@ private function validateImage() | |||
| if (preg_match('[\x01-\x08\x0c-\x1f]', $this->getContents())) { | |||
| throw new \App\Exceptions\AppException('ERR_FILE_WRONG_IMAGE'); | |||
| } | |||
| $this->validateCodeInjectionInMetadata(); | |||
| if (!$this->validateImageContent()) { | |||
| throw new \App\Exceptions\AppException('ERR_FILE_WRONG_IMAGE ||' . $this->validateError); | |||
There was a problem hiding this comment.
\App\Exceptions\DangerousFile
app/Fields/File.php
Outdated
| } | ||
| if ($type && $this->getShortMimeType(0) !== $type) { | ||
| throw new \App\Exceptions\AppException('Wrong file type'); | ||
| throw new \App\Exceptions\AppException('ERR_FILE_ILLEGAL_FORMAT'); |
There was a problem hiding this comment.
\App\Exceptions\DangerousFile
app/Fields/File.php
Outdated
| $img = new \imagick($fileImgIn); | ||
| $img->stripImage(); | ||
| $img->setImageCompression(\Imagick::COMPRESSION_JPEG); | ||
| $img->setImageCompressionQuality(80); |
There was a problem hiding this comment.
Suggested change
| $img->setImageCompressionQuality(80); | |
| $img->setImageCompressionQuality(99); |
app/Fields/File.php
Outdated
| $file = static::loadFromRequest($fileDetails); | ||
| if (!$file->validate($type)) { | ||
| $attach[] = ['name' => $file->getName(), 'error' => $file->validateError, 'hash' => $request->getByType('hash', 'Text')]; | ||
| continue; | ||
| if (!static::removeForbiddenTags($file->getPath(), $file->getPath())) { |
There was a problem hiding this comment.
Suggested change
| if (!static::removeForbiddenTags($file->getPath(), $file->getPath())) { | |
| if (!static::removeForbiddenTags($file->getPath())) { |
app/Fields/File.php
Outdated
| @@ -985,10 +1036,19 @@ public static function uploadAndSave(\App\Request $request, array $files, string | |||
| $attach = []; | |||
| foreach (static::transform($files, true) as $key => $transformFiles) { | |||
| foreach ($transformFiles as $fileDetails) { | |||
| $infoFile = ''; | |||
There was a problem hiding this comment.
Suggested change
| $infoFile = ''; | |
| $additionalNotes = ''; |
app/Fields/File.php
Outdated
| @@ -1006,7 +1066,8 @@ public static function uploadAndSave(\App\Request $request, array $files, string | |||
| 'name' => $file->getName(), | |||
| 'size' => \vtlib\Functions::showBytes($file->getSize()), | |||
| 'key' => $key, | |||
| 'hash' => $request->getByType('hash', 'string') | |||
| 'hash' => $request->getByType('hash', 'string'), | |||
| 'info' => $infoFile | |||
There was a problem hiding this comment.
Suggested change
| 'info' => $infoFile | |
| 'additionalNotes' => $additionalNotes |
mariuszkrzaczkowski
added
🔧 AmendmentsRequired
| $this->validateError = $e->getMessage(); | ||
| $returnVal = false; | ||
| } | ||
| } |
arek1-618
added
✔ finished
mariuszkrzaczkowski
requested changes
Dec 7, 2018
app/Fields/File.php
Outdated
| $file = static::loadFromRequest($fileDetails); | ||
| if (!$file->validate($type)) { | ||
| $attach[] = ['name' => $file->getName(), 'error' => $file->validateError, 'hash' => $request->getByType('hash', 'Text')]; | ||
| continue; | ||
| if (!static::removeForbiddenTags($file->getPath())) { |
There was a problem hiding this comment.
Suggested change
| if (!static::removeForbiddenTags($file->getPath())) { | |
| if (!static::removeForbiddenTags($file)) { |
app/Fields/File.php
Outdated
| * | ||
| * @return bool | ||
| */ | ||
| public static function removeForbiddenTags(string $fileImgIn): bool |
There was a problem hiding this comment.
Suggested change
| public static function removeForbiddenTags(string $fileImgIn): bool | |
| public static function removeForbiddenTags(string $file): bool |
app/Fields/File.php
Outdated
| $result = false; | ||
| if (extension_loaded('imagick')) { | ||
| try { | ||
| $img = new \imagick($fileImgIn); |
There was a problem hiding this comment.
Suggested change
| $img = new \imagick($fileImgIn); | |
| $img = new \imagick($file->getPath()); |
app/Fields/File.php
Outdated
| try { | ||
| $img = new \imagick($fileImgIn); | ||
| $img->stripImage(); | ||
| switch (strtolower(pathinfo($fileImgIn, PATHINFO_EXTENSION))) { |
There was a problem hiding this comment.
Suggested change
| switch (strtolower(pathinfo($fileImgIn, PATHINFO_EXTENSION))) { | |
| switch ($file->getExtension()) { |
app/Fields/File.php
Outdated
| } else { | ||
| $img = \imagecreatefromstring(\file_get_contents($fileImgIn)); | ||
| if (false !== $img) { | ||
| switch (strtolower(pathinfo($fileImgIn, PATHINFO_EXTENSION))) { |
There was a problem hiding this comment.
Suggested change
| switch (strtolower(pathinfo($fileImgIn, PATHINFO_EXTENSION))) { | |
| switch ($file->getExtension()) { |
| @@ -169,6 +169,7 @@ | |||
| "LBL_HELP_LDAP": "Protok\u00f3\u0142 u\u017cywany do uzyskiwania dost\u0119pu do baz danych przechowuj\u0105cych informacje w strukturze drzewa.", | |||
| "LBL_HELP_OPCACHE": "Poprawia wydajno\u015b\u0107 poprzez przechowywanie skompilowanego kodu bajtowego w pami\u0119ci wsp\u00f3\u0142dzielonej.", | |||
| "LBL_HELP_APCU": "", | |||
| "LBL_HELP_IMAGICK": "Zaawansowana obr\u00f3bka zdje\u0107", | |||
There was a problem hiding this comment.
Biblioteka zalecana do zabezpieczania potencjalnie niebezpiecznych plików graficznych
languages/pl_pl/_Base.json
Outdated
| @@ -227,6 +227,7 @@ | |||
| "LBL_EXPORT_RECORDS": "Eksportuj rekordy", | |||
| "LBL_EXPORT_SELECTED_RECORDS": "Eksportuj zaznaczone rekordy", | |||
| "LBL_Feb": "Lut", | |||
| "LBL_FILE_HAS_BEEN_MODIFIED": "Tw\u00f3j plik zosta\u0142 zmodyfikowany.", | |||
There was a problem hiding this comment.
Plik został zmodyfikowany ponieważ zawierał niebezpieczny kod.
mariuszkrzaczkowski
added
🔧 AmendmentsRequired
added 2 commits
December 7, 2018 15:12
arek1-618
added
✔ finished
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixed #7920 - "File contains dangerous PHP"