fix: file upload bypass vulnerability (#181)

ellite · Mar 2, 2024 · 0f7853f · 0f7853f
1 parent 2496cd7
commit 0f7853f
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 6 deletions.
diff --git a/endpoints/payments/add.php b/endpoints/payments/add.php
@@ -9,9 +9,15 @@
     function sanitizeFilename($filename) {
         $filename = preg_replace("/[^a-zA-Z0-9\s]/", "", $filename);
         $filename = str_replace(" ", "-", $filename);
+        $filename = str_replace(".", "", $filename);
         return $filename;
     }
 
+    function validateFileExtension($fileExtension) {
+        $allowedExtensions = ['png', 'jpg', 'jpeg', 'gif', 'jtif', 'webp'];
+        return in_array($fileExtension, $allowedExtensions);
+    }
+
     function getLogoFromUrl($url, $uploadDir, $name) {
 
         $ch = curl_init($url);
@@ -72,6 +78,7 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
         $timestamp = time();
         $originalFileName = $uploadedFile['name'];
         $fileExtension = pathinfo($originalFileName, PATHINFO_EXTENSION);
+        $fileExtension = validateFileExtension($fileExtension) ? $fileExtension : 'png';
         $fileName = $timestamp . '-payments-' . sanitizeFilename($name) . '.' . $fileExtension;
         $uploadFile = $uploadDir . $fileName;
 
@@ -87,6 +94,10 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
                     $image = imagecreatefrompng($uploadFile);
                 } elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
                     $image = imagecreatefromjpeg($uploadFile);
+                } elseif ($fileExtension === 'gif') {
+                    $image = imagecreatefromgif($uploadFile);
+                } elseif ($fileExtension === 'webp') {
+                    $image = imagecreatefromwebp($uploadFile);
                 } else {
                     // Handle other image formats as needed
                     return "";
@@ -120,6 +131,10 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
                     imagepng($resizedImage, $uploadFile);
                 } elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
                     imagejpeg($resizedImage, $uploadFile);
+                } elseif ($fileExtension === 'gif') {
+                    imagegif($resizedImage, $uploadFile);
+                } elseif ($fileExtension === 'webp') {
+                    imagewebp($resizedImage, $uploadFile);
                 } else {
                     return "";
                 }

diff --git a/endpoints/subscription/add.php b/endpoints/subscription/add.php
@@ -9,9 +9,15 @@
     function sanitizeFilename($filename) {
         $filename = preg_replace("/[^a-zA-Z0-9\s]/", "", $filename);
         $filename = str_replace(" ", "-", $filename);
+        $filename = str_replace(".", "", $filename);
         return $filename;
     }
 
+    function validateFileExtension($fileExtension) {
+        $allowedExtensions = ['png', 'jpg', 'jpeg', 'gif', 'webp'];
+        return in_array($fileExtension, $allowedExtensions);
+    }
+
     function getLogoFromUrl($url, $uploadDir, $name) {
 
         $ch = curl_init($url);
@@ -72,6 +78,7 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
         $timestamp = time();
         $originalFileName = $uploadedFile['name'];
         $fileExtension = pathinfo($originalFileName, PATHINFO_EXTENSION);
+        $fileExtension = validateFileExtension($fileExtension) ? $fileExtension : 'png';
         $fileName = $timestamp . '-' . sanitizeFilename($name) . '.' . $fileExtension;
         $uploadFile = $uploadDir . $fileName;
 
@@ -87,6 +94,10 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
                     $image = imagecreatefrompng($uploadFile);
                 } elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
                     $image = imagecreatefromjpeg($uploadFile);
+                } elseif ($fileExtension === 'gif') {
+                    $image = imagecreatefromgif($uploadFile);
+                } elseif ($fileExtension === 'webp') {
+                    $image = imagecreatefromwebp($uploadFile);
                 } else {
                     // Handle other image formats as needed
                     return "";
@@ -120,6 +131,10 @@ function resizeAndUploadLogo($uploadedFile, $uploadDir, $name) {
                     imagepng($resizedImage, $uploadFile);
                 } elseif ($fileExtension === 'jpg' || $fileExtension === 'jpeg') {
                     imagejpeg($resizedImage, $uploadFile);
+                } elseif ($fileExtension === 'gif') {
+                    imagegif($resizedImage, $uploadFile);
+                } elseif ($fileExtension === 'webp') {
+                    imagewebp($resizedImage, $uploadFile);
                 } else {
                     return "";
                 }

diff --git a/includes/version.php b/includes/version.php
@@ -1,3 +1,3 @@
 <?php
-    $version = "v1.11.0";
+    $version = "v1.11.2";
 ?>
diff --git a/index.php b/index.php
@@ -135,7 +135,7 @@
             <label for="logo" class="logo-preview">
               <img src="" alt="<?= translate('logo_preview', $i18n) ?>" id="form-logo"> 
             </label>
-            <input type="file" id="logo" name="logo" accept="image/jpeg, image/png" onchange="handleFileSelect(event)" class="hidden-input">
+            <input type="file" id="logo" name="logo" accept="image/jpeg, image/png, image/gif, image/webp" onchange="handleFileSelect(event)" class="hidden-input">
             <input type="hidden" id="logo-url" name="logo-url">
             <div id="logo-search-button" class="image-button medium disabled" title="<?= translate('search_logo', $i18n) ?>" onClick="searchLogo()">
               <img src="images/siteicons/websearch.png">

diff --git a/nginx.conf b/nginx.conf
@@ -42,6 +42,11 @@ http {
             deny all;
             return 403;
         }
+
+        location ~* images/uploads/logos/.*\.php$ {
+            deny all;
+            return 403;
+        }
     }
 
     include /etc/nginx/conf.d/*.conf;

diff --git a/settings.php b/settings.php
@@ -506,9 +506,7 @@
                             <?php
                                 if ($payment['id'] > 31 && !$inUse) {
                                     ?>
-                                        <div class="delete-payment-method" title="<?= translate('delete', $i18n) ?>" data-paymentid="<?= $payment['id'] ?>">
-                                            x
-                                        </div>
+                                        <div class="delete-payment-method" title="<?= translate('delete', $i18n) ?>" data-paymentid="<?= $payment['id'] ?>">x</div>
                                     <?php
                                 } 
                             ?>
@@ -534,7 +532,7 @@
                         <img src="" alt="<?= translate('logo_preview', $i18n) ?>" id="form-icon"> 
                     </label>
                     <div class="form-icon-search">
-                        <input type="file" id="paymenticon" name="paymenticon" accept="image/jpeg, image/png" onchange="handleFileSelect(event)" class="hidden-input">
+                        <input type="file" id="paymenticon" name="paymenticon" accept="image/jpeg, image/png, image/gif, image/webp" onchange="handleFileSelect(event)" class="hidden-input">
                         <input type="hidden" id="icon-url" name="icon-url">
                         <div id="icon-search-button" class="image-button medium disabled" title="<?= translate('search_logo', $i18n) ?>" onClick="searchPaymentIcon()">
                             <img src="images/siteicons/websearch.png">