mbirth/LuckyCoinkydink
Archived
1
0
Fork 0
Code Issues Pull Requests Activity

Merge branch 'thh-rce'

Browse Source 
* thh-rce:
  Fix RCE vulnerability on Windows.
  Add missing active content check for renaming.
This commit is contained in:
Thomas Hochstein
2020-03-25 16:13:39 +01:00
parent fd8dcd3882 e792a8d913
commit 382c785725
2 changed files with 8 additions and 0 deletions

3
docs/NEWS

@ -1,6 +1,9 @@
Version 2.4-alpha1 ()
------------------------------------------------------------------------
* Security: Fix RCE on Windows.
Thanks to Junyu Zhang <rgdz.eye@gmail.com>!
* Fix: ML: Fixed filename generation when renaming and added
some error messages on rename failures.

5
include/functions_images.inc.php

@ -2027,6 +2027,7 @@ function serendipity_uploadSecure($var, $strip_paths = true, $append_slash = fal
$var = str_replace(' ', '_', $var);
$var = preg_replace('@[^0-9a-z\._/-]@i', '', $var);
$var = preg_replace('@\.+$@i', '', $var); # remove trailing dots
if ($strip_paths) {
$var = preg_replace('@(\.+[/\\\\]+)@', '/', $var);
}
@ -2261,6 +2262,10 @@ function serendipity_renameFile($id, $newName, $path = null) {
$newPath = $imgBase . $path . $newName . (empty($File['extension']) ? '' : '.' . $File['extension']);
if (serendipity_isActiveFile($newName) || serendipity_isActiveFile($newPath)) {
return sprintf('<span class="msg_error"><span class="icon-attention-circled" aria-hidden="true"></span> ' . ERROR_FILE_FORBIDDEN . "</span>\n", $newName);
}
if (file_exists($newPath)) {
return sprintf('<span class="msg_error"><span class="icon-attention-circled" aria-hidden="true"></span> ' . ERROR_FILE_EXISTS . "</span>\n", $newName);
}