From 8fcc3410e3603bb823483a739753a3c4a12e6d7c Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Tue, 26 Sep 2006 22:05:51 +0200 Subject: security fixes for fetch.php #924 #962 Fixes a shell injection and a DOS vulnerability darcs-hash:20060926200551-7ad00-5ef27940dda6e48e7e2f8743fc90fa80b7b5cdff.gz --- conf/msg | 2 +- lib/exe/fetch.php | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/conf/msg b/conf/msg index a5b98b2b0..d500aaf82 100644 --- a/conf/msg +++ b/conf/msg @@ -1,4 +1,4 @@ -2 +3 The first line of this file contains a number, indicating which notification messages should not be displayed. This is the only information sent to dokuwiki.org when the diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php index e45c27e67..343145c54 100644 --- a/lib/exe/fetch.php +++ b/lib/exe/fetch.php @@ -22,8 +22,8 @@ //get input $MEDIA = getID('media',false); // no cleaning - maybe external $CACHE = calc_cache($_REQUEST['cache']); - $WIDTH = $_REQUEST['w']; - $HEIGHT = $_REQUEST['h']; + $WIDTH = (int) $_REQUEST['w']; + $HEIGHT = (int) $_REQUEST['h']; list($EXT,$MIME) = mimetype($MEDIA); if($EXT === false){ $EXT = 'unknown'; @@ -183,6 +183,8 @@ function get_resized($file, $ext, $w, $h=0){ $info = getimagesize($file); if(!$h) $h = round(($w * $info[1]) / $info[0]); + // we wont scale up to infinity + if($w > 2000 || $h > 2000) return $file; //cache $local = getCacheName($file,'.media.'.$w.'x'.$h.'.'.$ext); @@ -271,7 +273,6 @@ function resize_imageIM($ext,$from,$from_w,$from_h,$to,$to_w,$to_h){ @exec($cmd,$out,$retval); if ($retval == 0) return true; - return false; } -- cgit v1.2.3