Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix remote code execution via crafted 'im_convert_path' or 'im_identi…
…fy_path' settings
  • Loading branch information
alecpl committed Apr 26, 2020
1 parent 1c239c9 commit fcfb099
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
Expand Up @@ -26,6 +26,7 @@ CHANGELOG Roundcube Webmail
- Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
- Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
- Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings

RELEASE 1.4.3
-------------
Expand Down
8 changes: 5 additions & 3 deletions program/lib/Roundcube/rcube_image.php
Expand Up @@ -158,7 +158,8 @@ public function resize($size, $filename = null, $browser_compat = false)
'size' => $width . 'x' . $height,
);

$result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
$result = rcube::exec(escapeshellcmd($convert)
. ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
. ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p);
}
// use PHP's Imagick class
Expand Down Expand Up @@ -323,7 +324,8 @@ public function convert($type, $filename = null)
$p['out'] = $filename;
$p['type'] = self::$extensions[$type];

$result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
$result = rcube::exec(escapeshellcmd($convert)
. ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);

if ($result === '') {
chmod($filename, 0600);
Expand Down Expand Up @@ -419,7 +421,7 @@ private function identify()
// use ImageMagick in command line
if ($cmd = $rcube->config->get('im_identify_path')) {
$args = array('in' => $this->image_file, 'format' => "%m %[fx:w] %[fx:h]");
$id = rcube::exec($cmd. ' 2>/dev/null -format {format} {in}', $args);
$id = rcube::exec(escapeshellcmd($cmd) . ' 2>/dev/null -format {format} {in}', $args);

if ($id) {
return explode(' ', strtolower($id));
Expand Down

0 comments on commit fcfb099

Please sign in to comment.