mbirth/LuckyCoinkydink
Archived
1
0
Fork 0
Code Issues Pull Requests Activity

Fix self-XSS on file upload

Browse Source 
The filename was used without escaping in the scucess message shown after upload
This commit is contained in:
onli
2019-02-20 21:38:13 +01:00
parent 153b5a37f1
commit f295a3b123
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/admin/images.inc.php
View File

@ -336,6 +336,7 @@ switch ($serendipity['GET']['adminAction']) {
foreach($uploadfiles AS $uploadfile) {
$uploadFileCounter++;
$target_filename = $serendipity['POST']['target_filename'][$idx];
$uploadtmp = $_FILES['serendipity']['tmp_name']['userfile'][$idx];
if (is_array($uploadtmp)) {
$uploadtmp = $uploadtmp[$uploadFileCounter];
@ -350,6 +351,7 @@ switch ($serendipity['GET']['adminAction']) {
}
$tfile = str_replace(' ', '_', basename($tfile)); // keep serendipity_uploadSecure(URL) whitespace convert behaviour, when using serendipity_makeFilename()
$tfile = serendipity_specialchars($tfile); # needed to prevent ability for uploader to inject javascript
$tfile = serendipity_uploadSecure(serendipity_makeFilename($tfile));
if (serendipity_isActiveFile($tfile)) {
@ -374,7 +376,7 @@ switch ($serendipity['GET']['adminAction']) {
// Accept file
if (is_uploaded_file($uploadtmp) && serendipity_checkMediaSize($uploadtmp) && move_uploaded_file($uploadtmp, $target)) {
$messages[] = sprintf('<span class="msg_success"><span class="icon-ok-circled" aria-hidden="true"></span> ' . FILE_UPLOADED . "</span>\n", $uploadfile , $target);
$messages[] = sprintf('<span class="msg_success"><span class="icon-ok-circled" aria-hidden="true"></span> ' . FILE_UPLOADED . "</span>\n", $tfile, $target);
@umask(0000);
@chmod($target, 0664);