From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/lib/Roundcube/rcube_image.php | 111 ++++++++++++++++++++++++++++++++++++++++---------------
1 files changed, 81 insertions(+), 30 deletions(-)
diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php
index 735a0df..495800d 100644
--- a/program/lib/Roundcube/rcube_image.php
+++ b/program/lib/Roundcube/rcube_image.php
@@ -93,6 +93,10 @@
$convert = $rcube->config->get('im_convert_path', false);
$props = $this->props();
+ if (empty($props)) {
+ return false;
+ }
+
if (!$filename) {
$filename = $this->image_file;
}
@@ -101,7 +105,6 @@
if ($convert) {
$p['out'] = $filename;
$p['in'] = $this->image_file;
- $p['size'] = $size.'x'.$size;
$type = $props['type'];
if (!$type && ($data = $this->identify())) {
@@ -116,11 +119,37 @@
$type = 'jpg';
}
- $p += array('type' => $type, 'types' => "bmp,eps,gif,jp2,jpg,png,svg,tif", 'quality' => 75);
- $p['-opts'] = array('-resize' => $p['size'].'>');
+ // If only one dimension is greater than the limit convert doesn't
+ // work as expected, we need to calculate new dimensions
+ $scale = $size / max($props['width'], $props['height']);
- if (in_array($type, explode(',', $p['types']))) { // Valid type?
- $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace RGB -quality {quality} {-opts} {intype}:{in} {type}:{out}', $p);
+ // if file is smaller than the limit, we do nothing
+ // but copy original file to destination file
+ if ($scale >= 1 && $p['intype'] == $type) {
+ $result = ($this->image_file == $filename || copy($this->image_file, $filename)) ? '' : false;
+ }
+ else {
+ if ($scale >= 1) {
+ $width = $props['width'];
+ $height = $props['height'];
+ }
+ else {
+ $width = intval($props['width'] * $scale);
+ $height = intval($props['height'] * $scale);
+ }
+
+ $valid_types = "bmp,eps,gif,jp2,jpg,png,svg,tif";
+
+ $p += array(
+ 'type' => $type,
+ 'quality' => 75,
+ 'size' => $width . 'x' . $height,
+ );
+
+ if (in_array($type, explode(',', $valid_types))) { // Valid type?
+ $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
+ . ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p);
+ }
}
if ($result === '') {
@@ -137,7 +166,7 @@
}
else if($props['gd_type'] == IMAGETYPE_GIF && function_exists('imagecreatefromgif')) {
$image = imagecreatefromgif($this->image_file);
- $type = 'gid';
+ $type = 'gif';
}
else if($props['gd_type'] == IMAGETYPE_PNG && function_exists('imagecreatefrompng')) {
$image = imagecreatefrompng($this->image_file);
@@ -148,39 +177,61 @@
return false;
}
+ if ($image === false) {
+ return false;
+ }
+
$scale = $size / max($props['width'], $props['height']);
// Imagemagick resize is implemented in shrinking mode (see -resize argument above)
// we do the same here, if an image is smaller than specified size
// we do nothing but copy original file to destination file
- if ($scale > 1) {
- return $this->image_file == $filename || copy($this->image_file, $filename) ? $type : false;
+ if ($scale >= 1) {
+ $result = $this->image_file == $filename || copy($this->image_file, $filename);
}
+ else {
+ $width = intval($props['width'] * $scale);
+ $height = intval($props['height'] * $scale);
+ $new_image = imagecreatetruecolor($width, $height);
- $width = $props['width'] * $scale;
- $height = $props['height'] * $scale;
+ // Fix transparency of gif/png image
+ if ($props['gd_type'] != IMAGETYPE_JPEG) {
+ imagealphablending($new_image, false);
+ imagesavealpha($new_image, true);
+ $transparent = imagecolorallocatealpha($new_image, 255, 255, 255, 127);
+ imagefilledrectangle($new_image, 0, 0, $width, $height, $transparent);
+ }
- $new_image = imagecreatetruecolor($width, $height);
+ imagecopyresampled($new_image, $image, 0, 0, 0, 0, $width, $height, $props['width'], $props['height']);
+ $image = $new_image;
- // Fix transparency of gif/png image
- if ($props['gd_type'] != IMAGETYPE_JPEG) {
- imagealphablending($new_image, false);
- imagesavealpha($new_image, true);
- $transparent = imagecolorallocatealpha($new_image, 255, 255, 255, 127);
- imagefilledrectangle($new_image, 0, 0, $width, $height, $transparent);
- }
+ // fix rotation of image if EXIF data exists and specifies rotation (GD strips the EXIF data)
+ if ($this->image_file && $type == 'jpg' && function_exists('exif_read_data')) {
+ $exif = exif_read_data($this->image_file);
+ if ($exif && $exif['Orientation']) {
+ switch ($exif['Orientation']) {
+ case 3:
+ $image = imagerotate($image, 180, 0);
+ break;
+ case 6:
+ $image = imagerotate($image, -90, 0);
+ break;
+ case 8:
+ $image = imagerotate($image, 90, 0);
+ break;
+ }
+ }
+ }
- imagecopyresampled($new_image, $image, 0, 0, 0, 0, $width, $height, $props['width'], $props['height']);
- $image = $new_image;
-
- if ($props['gd_type'] == IMAGETYPE_JPEG) {
- $result = imagejpeg($image, $filename, 75);
- }
- elseif($props['gd_type'] == IMAGETYPE_GIF) {
- $result = imagegif($image, $filename);
- }
- elseif($props['gd_type'] == IMAGETYPE_PNG) {
- $result = imagepng($image, $filename, 6, PNG_ALL_FILTERS);
+ if ($props['gd_type'] == IMAGETYPE_JPEG) {
+ $result = imagejpeg($image, $filename, 75);
+ }
+ elseif($props['gd_type'] == IMAGETYPE_GIF) {
+ $result = imagegif($image, $filename);
+ }
+ elseif($props['gd_type'] == IMAGETYPE_PNG) {
+ $result = imagepng($image, $filename, 6, PNG_ALL_FILTERS);
+ }
}
if ($result) {
@@ -222,7 +273,7 @@
$p['out'] = $filename;
$p['type'] = self::$extensions[$type];
- $result = rcube::exec($convert . ' 2>&1 -colorspace RGB -quality 75 {in} {type}:{out}', $p);
+ $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -quality 75 {in} {type}:{out}', $p);
if ($result === '') {
@chmod($filename, 0600);
--
Gitblit v1.9.1