From d1ed0b61f4795d01c2d9675949d2aad4568bc0c7 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Wed, 18 Oct 2006 14:49:42 +0200
Subject: better check for images in fetch.php

This patch is an enhancement to yesterday's changes. The ability to download
external content could be used for XSS attacks, when faking the sent MIME
type. This patch adds a check on the received data for valid images.

darcs-hash:20061018124942-7ad00-4e8bca7d3877e6a10c348b5d45499cf8adf8b087.gz
---
 lib/exe/fetch.php | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'lib/exe/fetch.php')

diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php
index 1f854b338..94aae7deb 100644
--- a/lib/exe/fetch.php
+++ b/lib/exe/fetch.php
@@ -31,9 +31,9 @@
   }
 
   //media to local file
-  if(preg_match('#^(https?|ftp)://#i',$MEDIA)){
-    //handle external media
-    $FILE = get_from_URL($MEDIA,$EXT,$CACHE);
+  if(preg_match('#^(https?)://#i',$MEDIA)){
+    //handle external images 
+    if(strncmp($MIME,'image/',6) == 0) $FILE = get_from_URL($MEDIA,$EXT,$CACHE);
     if(!$FILE){
       //download failed - redirect to original URL
       header('Location: '.$MEDIA);
@@ -272,6 +272,14 @@ function image_download($url,$file){
   fwrite($fp,$data);
   fclose($fp);
   if(!$fileexists and $conf['fperm']) chmod($file, $conf['fperm']);
+
+  // check if it is really an image
+  $info = @getimagesize($file);
+  if(!$info){
+    @unlink($file);
+    return false;
+  }
+
   return true;
 }
 
-- 
cgit v1.2.3