From 1aa9fcc4741a46fa5a9f11d71b409b911ffc190f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Anne?= <cedric.anne@gmail.com>
Date: Wed, 20 Apr 2022 09:39:45 +0200
Subject: [PATCH] Merge pull request from GHSA-9hg4-fpwv-gx78

---
 src/Document.php |  2 ++
 src/User.php     | 11 +++++------
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/Document.php b/src/Document.php
index 82555a9952b..d78ae305e3b 100644
--- a/src/Document.php
+++ b/src/Document.php
@@ -1267,6 +1267,7 @@ public static function moveDocument(array &$input, $filename)
         $new_path = self::getUploadFileValidLocationName($dir, $sha1sum);
 
         if (!$sha1sum || !$dir || !$new_path) {
+            @unlink($fullpath);
             return false;
         }
 
@@ -1319,6 +1320,7 @@ public static function moveDocument(array &$input, $filename)
                 Session::addMessageAfterRedirect(__('Document copy succeeded.'));
             } else {
                 Session::addMessageAfterRedirect(__('File move failed'), false, ERROR);
+                @unlink($fullpath);
                 return false;
             }
         }
diff --git a/src/User.php b/src/User.php
index 2d41d679eb9..1c1171f1a30 100644
--- a/src/User.php
+++ b/src/User.php
@@ -829,7 +829,7 @@ public function prepareInputForUpdate($input)
             }
             if ($newPicture) {
                 $fullpath = GLPI_TMP_DIR . "/" . $input["_picture"];
-                if (Toolbox::getMime($fullpath, 'image')) {
+                if (Document::isImage($fullpath, 'image')) {
                    // Unlink old picture (clean on changing format)
                     self::dropPictureFiles($this->fields['picture']);
                    // Move uploaded file
@@ -846,10 +846,7 @@ public function prepareInputForUpdate($input)
                     $picture_path = GLPI_PICTURE_DIR  . "/$sub/${filename}.$extension";
                     self::dropPictureFiles("$sub/${filename}.$extension");
 
-                    if (
-                        Document::isImage($fullpath)
-                        && Document::renameForce($fullpath, $picture_path)
-                    ) {
+                    if (Document::renameForce($fullpath, $picture_path)) {
                         Session::addMessageAfterRedirect(__('The file is valid. Upload is successful.'));
                         // For display
                         $input['picture'] = "$sub/${filename}.$extension";
@@ -859,10 +856,11 @@ public function prepareInputForUpdate($input)
                         Toolbox::resizePicture($picture_path, $thumb_path);
                     } else {
                         Session::addMessageAfterRedirect(
-                            __('Potential upload attack or file too large. Moving temporary file failed.'),
+                            __('Moving temporary file failed.'),
                             false,
                             ERROR
                         );
+                        @unlink($fullpath);
                     }
                 } else {
                     Session::addMessageAfterRedirect(
@@ -870,6 +868,7 @@ public function prepareInputForUpdate($input)
                         false,
                         ERROR
                     );
+                    @unlink($fullpath);
                 }
             } else {
                //ldap jpegphoto synchronisation.