From 7da322371fd00a54670a5d6679faae0fcbd3f229 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 19 May 2024 10:10:32 +0200 Subject: [PATCH] Fix command injection via crafted im_convert_path/im_identify_path on Windows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported by Huy Nguyễn Phạm Nhật. --- CHANGELOG.md | 1 + program/lib/Roundcube/rcube_image.php | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index caddceeb1..979f0fc31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -57,6 +57,7 @@ - Fix bug in collapsing/expanding folders with some special characters in names (#9324) - Fix PHP8 warnings (#9363, #9365, #9429) - Fix missing field labels in CSV import, for some locales (#9393) +- Fix command injection via crafted im_convert_path/im_identify_path on Windows ## Release 1.6.6 diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php index 7f2e22c4c..9dbeb4703 100644 --- a/program/lib/Roundcube/rcube_image.php +++ b/program/lib/Roundcube/rcube_image.php @@ -487,18 +487,20 @@ class rcube_image { static $error = []; - $cmd = rcube::get_instance()->config->get($opt_name); + $cmd = (string) rcube::get_instance()->config->get($opt_name); if (empty($cmd)) { return false; } + $cmd = trim($cmd); + if (preg_match('/^(convert|identify)(\.exe)?$/i', $cmd)) { return $cmd; } // Executable must exist, also disallow network shares on Windows - if ($cmd[0] != '\\' && file_exists($cmd)) { + if ($cmd[0] !== '\\' && strpos($cmd, '//') !== 0 && file_exists($cmd)) { return $cmd; }