You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$index is passed down from getImageAtIndex($index).
Luckily the only official horde code calling it
is the PDF preview code with a fixed index of 0.
Still code from third party vendors using the Horde framework libs
might expose getImageAtIndex() to the web.
PoC:
----------------
<?php
$options = array('index' => "5'$(ls -al )'");
$max_pages = 10;
// php fun: implicit conversion to integer
if ($options['index'] < $max_pages)
{
// _raw() call in Im.php might look like
// /usr/bin/convert "/tmp/img1URPsC"'[0]' -strip png:"/tmp/img0NgHfI"
echo exec('echo \'[' . $options['index'] . ']\' ');
}
?>
----------------
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Jan Schneider <jan@horde.org>
0 commit comments