Merge pull request #703 from tcitworld/images_security

Security fixes for downloaded images (thanks @leblanc-simon)
2014-05-20 11:55:20 +02:00 · 2014-05-20 11:55:20 +02:00 · 88f0e31622
commit 88f0e31622
parent 04b43dc097 38eecef26b
2 changed files with 55 additions and 6 deletions
--- a/inc/poche/config.inc.default.php
+++ b/inc/poche/config.inc.default.php
@ -30,7 +30,8 @@
@define ('MODE_DEMO', FALSE);
@define ('DEBUG_POCHE', FALSE);
-@define ('DOWNLOAD_PICTURES', FALSE);
+@define ('DOWNLOAD_PICTURES', FALSE); # This can slow down the process of adding articles
@define ('REGENERATE_PICTURES_QUALITY', 75);
@define ('CONVERT_LINKS_FOOTNOTES', FALSE);
@define ('REVERT_FORCED_PARAGRAPH_ELEMENTS', FALSE);
@define ('SHARE_TWITTER', TRUE);
--- a/inc/poche/pochePictures.php
+++ b/inc/poche/pochePictures.php
@ -14,6 +14,7 @@
 function filtre_picture($content, $url, $id)
 {
    $matches = array();
    $processing_pictures = array(); // list of processing image to avoid processing the same pictures twice
    preg_match_all('#<\s*(img)[^>]+src="([^"]*)"[^>]*>#Si', $content, $matches, PREG_SET_ORDER);
    foreach($matches as $i => $link) {
        $link[1] = trim($link[1]);
@ -22,8 +23,17 @@ function filtre_picture($content, $url, $id)
            $filename = basename(parse_url($absolute_path, PHP_URL_PATH));
            $directory = create_assets_directory($id);
            $fullpath = $directory . '/' . $filename;
-            download_pictures($absolute_path, $fullpath);
+            
-            $content = str_replace($matches[$i][2], $fullpath, $content);
+            if (in_array($absolute_path, $processing_pictures) === true) {
                // replace picture's URL only if processing is OK : already processing -> go to next picture
                continue;
            }
            if (download_pictures($absolute_path, $fullpath) === true) {
                $content = str_replace($matches[$i][2], $fullpath, $content);
            }
            $processing_pictures[] = $absolute_path;
        }
    }
@ -64,17 +74,55 @@ function get_absolute_link($relative_link, $url) {
 /**
 * Téléchargement des images
 * 
 * @return bool true if the download and processing is OK, false else
 */
 function download_pictures($absolute_path, $fullpath)
 {
    $rawdata = Tools::getFile($absolute_path);
    $fullpath = urldecode($fullpath);
    if(file_exists($fullpath)) {
        unlink($fullpath);
    }
-    $fp = fopen($fullpath, 'x');
+    
-    fwrite($fp, $rawdata);
+    // check extension
-    fclose($fp);
+    $file_ext = strrchr($fullpath, '.');
    $whitelist = array(".jpg",".jpeg",".gif",".png"); 
    if (!(in_array($file_ext, $whitelist))) {
        Tools::logm('processed image with not allowed extension. Skipping ' . $fullpath);
        return false;
    }
    // check headers
    $imageinfo = getimagesize($absolute_path);
    if ($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg'&& $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
        Tools::logm('processed image with bad header. Skipping ' . $fullpath);
        return false;
    }
    // regenerate image
    $im = imagecreatefromstring($rawdata);
    if ($im === false) {
        Tools::logm('error while regenerating image ' . $fullpath);
        return false;
    }
    switch ($imageinfo['mime']) {
        case 'image/gif':
            $result = imagegif($im, $fullpath);
            break;
        case 'image/jpeg':
        case 'image/jpg':
            $result = imagejpeg($im, $fullpath, REGENERATE_PICTURES_QUALITY);
            break;
        case 'image/png':
            $result = imagepng($im, $fullpath, ceil(REGENERATE_PICTURES_QUALITY / 100 * 9));
            break;
    }
    imagedestroy($im);
    return $result;
 }
 /**