From e792a8d91381174eb211f1ab84cdeaa212528217 Mon Sep 17 00:00:00 2001
From: Thomas Hochstein <thh@inter.net>
Date: Wed, 25 Mar 2020 10:02:53 +0100
Subject: [PATCH] Fix RCE vulnerability on Windows.

Steps to reproduce:

1) Upload a PHP script to the Media Libray,
   naming it "test" (or any other name
   without extension).
2) Rename it to "exploit.php." (trailing dot!)

On Linux, the file will be renamed to
"exploit.php..", which is safe and
cannot be exploited.

On Windows though, the file will be
renemad to "exploit.php" and is then
remotely executable by calling it
from "/uploads/exploit.php".

Thanks to Junyu Zhang <rgdz.eye@gmail.com>
for spotting this!

Signed-off-by: Thomas Hochstein <thh@inter.net>
---
 docs/NEWS                        | 3 +++
 include/functions_images.inc.php | 1 +
 2 files changed, 4 insertions(+)

diff --git a/docs/NEWS b/docs/NEWS
index 86485640..3e834e2a 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -1,6 +1,9 @@
 Version 2.4-alpha1 ()
 ------------------------------------------------------------------------
 
+   * Security: Fix RCE on Windows.
+     Thanks to Junyu Zhang <rgdz.eye@gmail.com>!
+
    * Fix: ML: Fixed filename generation when renaming and added
           some error messages on rename failures.
 
diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index 27ee11ed..a5397cdf 100644
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -2027,6 +2027,7 @@ function serendipity_uploadSecure($var, $strip_paths = true, $append_slash = fal
 
     $var = str_replace(' ', '_', $var);
     $var = preg_replace('@[^0-9a-z\._/-]@i', '', $var);
+    $var = preg_replace('@\.+$@i', '', $var); # remove trailing dots
     if ($strip_paths) {
         $var = preg_replace('@(\.+[/\\\\]+)@', '/', $var);
     }