Fix RCE vulnerability on Windows.

Steps to reproduce: 1) Upload a PHP script to the Media Libray, naming it "test" (or any other name without extension). 2) Rename it to "exploit.php." (trailing dot!) On Linux, the file will be renamed to "exploit.php..", which is safe and cannot be exploited. On Windows though, the file will be renemad to "exploit.php" and is then remotely executable by calling it from "/uploads/exploit.php". Thanks to Junyu Zhang <rgdz.eye@gmail.com> for spotting this! Signed-off-by: Thomas Hochstein <thh@inter.net>
2020-03-25 10:02:53 +01:00 · 2020-03-25 10:02:53 +01:00 · e792a8d913
commit e792a8d913
parent 21c3b0d83f
2 changed files with 4 additions and 0 deletions
--- a/docs/NEWS
+++ b/docs/NEWS
@ -1,6 +1,9 @@
 Version 2.4-alpha1 ()
 ------------------------------------------------------------------------

+   * Security: Fix RCE on Windows.
+     Thanks to Junyu Zhang <rgdz.eye@gmail.com>!
+
   * Fix: ML: Fixed filename generation when renaming and added
          some error messages on rename failures.

--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@ -2027,6 +2027,7 @@ function serendipity_uploadSecure($var, $strip_paths = true, $append_slash = fal

    $var = str_replace(' ', '_', $var);
    $var = preg_replace('@[^0-9a-z\._/-]@i', '', $var);
+    $var = preg_replace('@\.+$@i', '', $var); # remove trailing dots
    if ($strip_paths) {
        $var = preg_replace('@(\.+[/\\\\]+)@', '/', $var);
    }