security fixes for fetch.php #924 #962

Fixes a shell injection and a DOS vulnerability darcs-hash:20060926200551-7ad00-5ef27940dda6e48e7e2f8743fc90fa80b7b5cdff.gz

security fixes for fetch.php #924 #962
8fcc3410 · Andreas Gohr · 041d1964 · 8fcc3410 · 8fcc3410
Commit 8fcc3410 authored 18 years ago by Andreas Gohr
--- a/conf/msg
+++ b/conf/msg
-2
+3
 The first line of this file contains a number, indicating
 which notification messages should not be displayed. This
 is the only information sent to dokuwiki.org when the

--- a/lib/exe/fetch.php
+++ b/lib/exe/fetch.php
@@ -22,8 +22,8 @@
  //get input
  $MEDIA  = getID('media',false); // no cleaning - maybe external
  $CACHE  = calc_cache($_REQUEST['cache']);
-  $WIDTH  = $_REQUEST['w'];
-  $HEIGHT = $_REQUEST['h'];
+  $WIDTH  = (int) $_REQUEST['w'];
+  $HEIGHT = (int) $_REQUEST['h'];
  list($EXT,$MIME) = mimetype($MEDIA);
  if($EXT === false){
    $EXT  = 'unknown';
@@ -183,6 +183,8 @@ function get_resized($file, $ext, $w, $h=0){
  $info  = getimagesize($file);
  if(!$h) $h = round(($w * $info[1]) / $info[0]);

+  // we wont scale up to infinity
+  if($w > 2000 || $h > 2000) return $file;

  //cache
  $local = getCacheName($file,'.media.'.$w.'x'.$h.'.'.$ext);
@@ -271,7 +273,6 @@ function resize_imageIM($ext,$from,$from_w,$from_h,$to,$to_w,$to_h){

  @exec($cmd,$out,$retval);
  if ($retval == 0) return true;
-
  return false;
 }