Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-09 09:36:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix command injection via crafted im_convert_path/im_identify_path on Windows

Browse Source 
Reported by Huy Nguyễn Phạm Nhật.
This commit is contained in:
Aleksander Machniak
2024-05-19 10:10:32 +02:00
parent cfd108399e
commit 7da322371f
2 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -57,6 +57,7 @@
- Fix bug in collapsing/expanding folders with some special characters in names (#9324)
- Fix PHP8 warnings (#9363, #9365, #9429)
- Fix missing field labels in CSV import, for some locales (#9393)
- Fix command injection via crafted im_convert_path/im_identify_path on Windows
## Release 1.6.6

6
program/lib/Roundcube/rcube_image.php
View File

@@ -487,18 +487,20 @@ class rcube_image
{
static $error = [];
$cmd = rcube::get_instance()->config->get($opt_name);
$cmd = (string) rcube::get_instance()->config->get($opt_name);
if (empty($cmd)) {
return false;
}
$cmd = trim($cmd);
if (preg_match('/^(convert|identify)(\.exe)?$/i', $cmd)) {
return $cmd;
}
// Executable must exist, also disallow network shares on Windows
if ($cmd[0] != '\\' && file_exists($cmd)) {
if ($cmd[0] !== '\\' && strpos($cmd, '//') !== 0 && file_exists($cmd)) {
return $cmd;
}