Skip to content

Commit eb3afd1

Browse files
thomasjfoxyunosh
authored andcommitted
Fix RCE in _raw() via $index parameter.
$index is passed down from getImageAtIndex($index). Luckily the only official horde code calling it is the PDF preview code with a fixed index of 0. Still code from third party vendors using the Horde framework libs might expose getImageAtIndex() to the web. PoC: ---------------- <?php $options = array('index' => "5'$(ls -al )'"); $max_pages = 10; // php fun: implicit conversion to integer if ($options['index'] < $max_pages) { // _raw() call in Im.php might look like // /usr/bin/convert "/tmp/img1URPsC"'[0]' -strip png:"/tmp/img0NgHfI" echo exec('echo \'[' . $options['index'] . ']\' '); } ?> ---------------- Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Jan Schneider <jan@horde.org>
1 parent f7672eb commit eb3afd1

File tree

1 file changed

+1
-1
lines changed
  • framework/Image/lib/Horde/Image

1 file changed

+1
-1
lines changed

Diff for: framework/Image/lib/Horde/Image/Im.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,7 @@ private function _raw($convert = false, $options = array())
198198
$tmpin = $this->toFile($this->_data);
199199
$tmpout = Horde_Util::getTempFile('img', false, $this->_tmpdir);
200200
$command = $this->_convert . ' ' . implode(' ', $this->_operations)
201-
. ' "' . $tmpin . '"\'[' . $options['index'] . ']\' '
201+
. ' "' . $tmpin . '"\'[' . (integer)$options['index'] . ']\' '
202202
. implode(' ', $this->_postSrcOperations)
203203
. ' -strip ' . $this->_type . ':"' . $tmpout . '" 2>&1';
204204
$this->_logDebug(sprintf("convert command executed by Horde_Image_im::raw(): %s", $command));

0 commit comments

Comments
 (0)