Skip to content

Commit

Permalink
Filtering user parameters before passing them into phpthumb class #13979
Browse files Browse the repository at this point in the history


* upstream/pr/13979:
  Added strict mode for in_array
  Returns the missed in the past the considering to phpthumb_imagemagick_path system setting
  Limit parameters incoming from users to only allowed from phpthumb
  Some code cleanup before fix
  • Loading branch information
alroniks committed Jul 9, 2018
2 parents 79002a6 + a55c402 commit 06bc942
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 18 deletions.
1 change: 1 addition & 0 deletions core/docs/changelog.txt
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ development release, and is only shown to give an idea of what's currently in th

MODX Revolution 2.7.0-pl (TBD)
====================================
- Filtering user parameters before passing them into phpthumb class #13979
- Update phpThumb to 1.7.15-201806071234 #13938
- Require minimal PHP version (in composer.json) #13939
- Prefer ampersand replacement of the the translit class [#13931]
Expand Down
59 changes: 41 additions & 18 deletions core/model/phpthumb/modphpthumb.class.php
Original file line number Diff line number Diff line change
@@ -1,37 +1,44 @@
<?php
/**
* @package modx
* @subpackage phpthumb
*/
require_once MODX_CORE_PATH.'model/phpthumb/phpthumb.class.php';

require_once MODX_CORE_PATH . 'model/phpthumb/phpthumb.class.php';

/**
* Helper class to extend phpThumb and simplify thumbnail generation process
* since phpThumb class is overly convoluted and doesn't do enough.
*
* @package modx
* @subpackage phpthumb
*/
class modPhpThumb extends phpThumb {

class modPhpThumb extends phpThumb
{
public $modx;
public $config;

function __construct(modX &$modx,array $config = array()) {
public $config = array();

/**
* modPhpThumb constructor.
* @param modX $modx
* @param array $config
*/
public function __construct(modX &$modx, array $config = array())
{
$this->modx =& $modx;
$this->config = array_merge(array(
$this->config = $config;

),$config);
parent::__construct();
}

/**
* Setup some site-wide phpthumb options from modx config
*/
public function initialize() {
public function initialize()
{
$cachePath = $this->modx->getOption('core_path',null,MODX_CORE_PATH).'cache/phpthumb/';
if (!is_dir($cachePath)) $this->modx->cacheManager->writeTree($cachePath);
$this->setParameter('config_cache_directory',$cachePath);
$this->setParameter('config_temp_directory',$cachePath);
if (!is_dir($cachePath)) {
$this->modx->cacheManager->writeTree($cachePath);
}
$this->setParameter('config_cache_directory', $cachePath);
$this->setParameter('config_temp_directory', $cachePath);
$this->setCacheDirectory();

$this->setParameter('config_allow_src_above_docroot',(boolean)$this->modx->getOption('phpthumb_allow_src_above_docroot',$this->config,false));
Expand All @@ -51,24 +58,40 @@ public function initialize() {
$this->setParameter('config_nooffsitelink_erase_image',(boolean)$this->modx->getOption('phpthumb_nooffsitelink_erase_image',$this->config,true));
$this->setParameter('config_nooffsitelink_watermark_src',(string)$this->modx->getOption('phpthumb_nooffsitelink_watermark_src',$this->config,''));
$this->setParameter('config_nooffsitelink_text_message',(string)$this->modx->getOption('phpthumb_nooffsitelink_text_message',$this->config,'Off-server linking is not allowed'));
$this->setParameter('config_ttf_directory', (string)$this->modx->getOption('core_path', $this->config, MODX_CORE_PATH) . 'model/phpthumb/fonts/');
$this->setParameter('config_imagemagick_path', (string)$this->modx->getOption('phpthumb_imagemagick_path', $this->config, null));

$this->setParameter('cache_source_enabled',(boolean)$this->modx->getOption('phpthumb_cache_source_enabled',$this->config,false));
$this->setParameter('cache_source_directory',$cachePath.'source/');
$this->setParameter('allow_local_http_src',true);
$this->setParameter('zc',$this->modx->getOption('zc',$_REQUEST,$this->modx->getOption('phpthumb_zoomcrop',$this->config,0)));
$this->setParameter('far',$this->modx->getOption('far',$_REQUEST,$this->modx->getOption('phpthumb_far',$this->config,'C')));
$this->setParameter('cache_directory_depth',4);
$this->setParameter('config_ttf_directory',$this->modx->getOption('core_path',$this->config,MODX_CORE_PATH).'model/phpthumb/fonts/');

$documentRoot = $this->modx->getOption('phpthumb_document_root',$this->config, '');
if ($documentRoot == '') $documentRoot = $this->modx->getOption('base_path', null, '');
if (!empty($documentRoot)) {
$this->setParameter('config_document_root',$documentRoot);
}

// Only public parameters of phpThumb should be allowed to pass from user input.
// List properties between START PARAMETERS and START PARAMETERS in src/core/model/phpthumb/phpthumb.class.php
$allowed = array(
'src', 'new', 'w', 'h', 'wp', 'hp', 'wl', 'hl', 'ws', 'hs',
'f', 'q', 'sx', 'sy', 'sw', 'sh', 'zc', 'bc', 'bg', 'fltr',
'goto', 'err', 'xto', 'ra', 'ar', 'aoe', 'far', 'iar', 'maxb', 'down',
'md5s', 'sfn', 'dpi', 'sia', 'phpThumbDebug'
);

/* iterate through properties */
foreach ($this->config as $property => $value) {
$this->setParameter($property,$value);
if (!in_array($property, $allowed, true)) {
$this->modx->log(modX::LOG_LEVEL_WARN,"Detected attempt of using private parameter `$property` (for internal usage) of phpThumb that not allowed and insecure");
continue;
}
$this->setParameter($property, $value);
}

return true;
}

Expand Down Expand Up @@ -317,5 +340,5 @@ function ResolveFilenameToAbsolute($filename) {
}
return $AbsoluteFilename;
}

}

0 comments on commit 06bc942

Please sign in to comment.