From 8fcc3410e3603bb823483a739753a3c4a12e6d7c Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Tue, 26 Sep 2006 22:05:51 +0200 Subject: security fixes for fetch.php #924 #962 Fixes a shell injection and a DOS vulnerability darcs-hash:20060926200551-7ad00-5ef27940dda6e48e7e2f8743fc90fa80b7b5cdff.gz --- lib/exe/fetch.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php index e45c27e67..343145c54 100644 --- a/lib/exe/fetch.php +++ b/lib/exe/fetch.php @@ -22,8 +22,8 @@ //get input $MEDIA = getID('media',false); // no cleaning - maybe external $CACHE = calc_cache($_REQUEST['cache']); - $WIDTH = $_REQUEST['w']; - $HEIGHT = $_REQUEST['h']; + $WIDTH = (int) $_REQUEST['w']; + $HEIGHT = (int) $_REQUEST['h']; list($EXT,$MIME) = mimetype($MEDIA); if($EXT === false){ $EXT = 'unknown'; @@ -183,6 +183,8 @@ function get_resized($file, $ext, $w, $h=0){ $info = getimagesize($file); if(!$h) $h = round(($w * $info[1]) / $info[0]); + // we wont scale up to infinity + if($w > 2000 || $h > 2000) return $file; //cache $local = getCacheName($file,'.media.'.$w.'x'.$h.'.'.$ext); @@ -271,7 +273,6 @@ function resize_imageIM($ext,$from,$from_w,$from_h,$to,$to_w,$to_h){ @exec($cmd,$out,$retval); if ($retval == 0) return true; - return false; } -- cgit v1.2.3