diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2006-09-26 22:05:51 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2006-09-26 22:05:51 +0200 |
| commit | 8fcc3410e3603bb823483a739753a3c4a12e6d7c (patch) | |
| tree | 52a4955d085000e9a4fdb6ad1ba412b083ff017b | |
| parent | 041d1964bde2693df05726690877835ddae4e83e (diff) | |
| download | rpg-8fcc3410e3603bb823483a739753a3c4a12e6d7c.tar.gz rpg-8fcc3410e3603bb823483a739753a3c4a12e6d7c.tar.bz2 | |
security fixes for fetch.php #924 #962
Fixes a shell injection and a DOS vulnerability
darcs-hash:20060926200551-7ad00-5ef27940dda6e48e7e2f8743fc90fa80b7b5cdff.gz
| -rw-r--r-- | conf/msg | 2 | ||||
| -rw-r--r-- | lib/exe/fetch.php | 7 |
2 files changed, 5 insertions, 4 deletions
@@ -1,4 +1,4 @@ -2 +3 The first line of this file contains a number, indicating which notification messages should not be displayed. This is the only information sent to dokuwiki.org when the diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php index e45c27e67..343145c54 100644 --- a/lib/exe/fetch.php +++ b/lib/exe/fetch.php @@ -22,8 +22,8 @@ //get input $MEDIA = getID('media',false); // no cleaning - maybe external $CACHE = calc_cache($_REQUEST['cache']); - $WIDTH = $_REQUEST['w']; - $HEIGHT = $_REQUEST['h']; + $WIDTH = (int) $_REQUEST['w']; + $HEIGHT = (int) $_REQUEST['h']; list($EXT,$MIME) = mimetype($MEDIA); if($EXT === false){ $EXT = 'unknown'; @@ -183,6 +183,8 @@ function get_resized($file, $ext, $w, $h=0){ $info = getimagesize($file); if(!$h) $h = round(($w * $info[1]) / $info[0]); + // we wont scale up to infinity + if($w > 2000 || $h > 2000) return $file; //cache $local = getCacheName($file,'.media.'.$w.'x'.$h.'.'.$ext); @@ -271,7 +273,6 @@ function resize_imageIM($ext,$from,$from_w,$from_h,$to,$to_w,$to_h){ @exec($cmd,$out,$retval); if ($retval == 0) return true; - return false; } |