Try to catch more "evil" opportunities.

GUYS: We need some volunteers to check if uploads still work as expected and our latest changes don't break stuff. And of course that it's no longer exploitable.

diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php
index bb3272a374f1b73b2bdd3027c1caba70f688d68f..86166a20d3e37a37f4df31622bfd08e0254db49b 100644 (file)
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@@ -54,12 +54,17 @@ switch ($serendipity['GET']['adminAction']) {
 
     case 'rename':
         $file = serendipity_fetchImageFromDatabase($serendipity['GET']['fid']);
-        $serendipity['GET']['newname'] = serendipity_uploadSecure($serendipity['GET']['newname']);
+        $serendipity['GET']['newname'] = serendipity_uploadSecure($serendipity['GET']['newname'], true);
 
         if ($serendipity['serendipityUserlevel'] < USERLEVEL_CHIEF && $file['authorid'] != '0' && $file['authorid'] != $serendipity['authorid']) {
             return;
         }
 
+        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && !serendipity_isSafeFile($serendipity['GET']['newname'])) {
+            printf(ERROR_FILE_FORBIDDEN, $serendipity['GET']['newname']);
+            return;
+        }
+
         if ($file['hotlink']) {
             serendipity_updateImageInDatabase(array('name' => $serendipity['GET']['newname']), $serendipity['GET']['fid']);
         } else {
@@ -131,7 +136,7 @@ switch ($serendipity['GET']['adminAction']) {
         }
 
         $tfile = serendipityNormalizeFilename(serendipity_uploadSecure($tfile));
-        $serendipity['POST']['target_directory'][$tindex] = serendipity_uploadSecure($serendipity['POST']['target_directory'][$tindex], true);
+        $serendipity['POST']['target_directory'][$tindex] = serendipity_uploadSecure($serendipity['POST']['target_directory'][$tindex], true, true);
         $target = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $serendipity['POST']['target_directory'][$tindex] . $tfile;
 
         if (file_exists($target)) {
@@ -195,7 +200,7 @@ switch ($serendipity['GET']['adminAction']) {
             }
     
             $tfile = serendipityNormalizeFilename(serendipity_uploadSecure($tfile));
-            $serendipity['POST']['target_directory'][$idx] = serendipity_uploadSecure($serendipity['POST']['target_directory'][$idx], true);
+            $serendipity['POST']['target_directory'][$idx] = serendipity_uploadSecure($serendipity['POST']['target_directory'][$idx], true, true);
             $target = $serendipity['serendipityPath'] . $serendipity['uploadPath'] . $serendipity['POST']['target_directory'][$idx] . $tfile;
     
             if (file_exists($target)) {

diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index 3d38e9a498357e64f90f9e5379f82147e6c0f56c..d069ecb776fb84380d0f2a10151bed60e56c618c 100644 (file)
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -10,6 +10,9 @@ function serendipityNormalizeFilename($in) {
     return $out;
 }
 
+function serendipity_isSafeFile($file) {
+    return preg_match('@\.(php[34]?|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file);
+}
 
 /**
 * Get a list of images
@@ -1236,13 +1239,19 @@ function serendipity_deletePath($dir) {
     }
 }
 
-function serendipity_uploadSecure($var, $strip_paths = true) {
+function serendipity_uploadSecure($var, $strip_paths = true, $append_slash = false) {
     $var = preg_replace('@[^0-9a-z\._/-]@i', '', $var);
     if ($strip_paths) {
         $var = preg_replace('@(\.+[/\\\\]+)@', '/', $var);
     }
 
     $var = preg_replace('@^(/+)@', '', $var);
+    
+    if ($append_slash) {
+        if (substr($var, -1, 1) != '/') {
+            $var .= '/';
+        }
+    }
 
     return $var;
 }