forked from GNUsocial/gnu-social
[MEDIA] Removed blacklisted extensions, "trusts" upload extension (doesn't affect anything) and updated sysadmin documentation
Fixes bug which broke the UI. Oops
This commit is contained in:
parent
b9a0733062
commit
ccebe536b3
@ -667,6 +667,12 @@ in php.ini to be large enough to handle your upload. In httpd.conf
|
||||
(if you're using apache), check that the LimitRequestBody directive isn't
|
||||
set too low (it's optional, so it may not be there at all).
|
||||
|
||||
* `extblacklist`: associative array to either deny certain extensions or
|
||||
change them to a different one. For example:
|
||||
$config['attachments']['extblacklist']['php'] = 'phps'; // this turns .php into .phps
|
||||
$config['attachments']['extblacklist']['exe'] = false; // this would deny any uploads
|
||||
// of files with the "exe" extension
|
||||
|
||||
* `process_links`: follow redirects and save all available file information
|
||||
(mimetype, date, size, oembed, etc.). Defaults to true.
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
# GNU social 1.21.x
|
||||
# GNU social 1.22.x
|
||||
(c) 2010-2019 Free Software Foundation, Inc
|
||||
|
||||
This is the README file for GNU social, the free
|
||||
|
@ -336,6 +336,31 @@ class File extends Managed_DataObject
|
||||
return $filename;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $filename
|
||||
* @return string|bool Value from the 'extblacklist' array, in the config
|
||||
*/
|
||||
public static function getSafeExtension(string $filename) {
|
||||
if (preg_match('/^.+?\.([A-Za-z0-9]+)$/', $filename, $matches)) {
|
||||
// we matched on a file extension, so let's see if it means something.
|
||||
$ext = mb_strtolower($matches[1]);
|
||||
$blacklist = common_config('attachments', 'extblacklist');
|
||||
// If we got an extension from $filename we want to check if it's in a blacklist
|
||||
// so we avoid people uploading restricted files
|
||||
if (array_key_exists($ext, $blacklist)) {
|
||||
if (!is_string($blacklist[$ext])) {
|
||||
return false;
|
||||
}
|
||||
// return a safe replacement extension ('php' => 'phps' for example)
|
||||
return $blacklist[$ext];
|
||||
}
|
||||
// the attachment extension based on its filename was not blacklisted so it's ok to use it
|
||||
return $ext;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param $mimetype string The mimetype we've discovered for this file.
|
||||
* @param $filename string An optional filename which we can use on failure.
|
||||
@ -351,28 +376,16 @@ class File extends Managed_DataObject
|
||||
return $ext;
|
||||
} catch (UnknownMimeExtensionException $e) {
|
||||
// We don't know the extension for this mimetype, but let's guess.
|
||||
|
||||
// If we can't recognize the extension from the MIME, we try
|
||||
// to guess based on filename, if one was supplied.
|
||||
if (!is_null($filename) && preg_match('/^.+\.([A-Za-z0-9]+)$/', $filename, $matches)) {
|
||||
// we matched on a file extension, so let's see if it means something.
|
||||
$ext = mb_strtolower($matches[1]);
|
||||
|
||||
$blacklist = common_config('attachments', 'extblacklist');
|
||||
// If we got an extension from $filename we want to check if it's in a blacklist
|
||||
// so we avoid people uploading .php files etc.
|
||||
if (array_key_exists($ext, $blacklist)) {
|
||||
if (!is_string($blacklist[$ext])) {
|
||||
// we don't have a safe replacement extension
|
||||
throw new ClientException(_('Blacklisted file extension.'));
|
||||
}
|
||||
common_debug('Found replaced extension for filename '._ve($filename).': '._ve($ext));
|
||||
|
||||
// return a safe replacement extension ('php' => 'phps' for example)
|
||||
return $blacklist[$ext];
|
||||
if (!is_null($filename)) {
|
||||
$ext = getSafeExtension($filename);
|
||||
if ($ext === false) {
|
||||
// we don't have a safe replacement extension
|
||||
throw new ClientException(_('Blacklisted file extension.'));
|
||||
} else {
|
||||
return $ext;
|
||||
}
|
||||
// the attachment extension based on its filename was not blacklisted so it's ok to use it
|
||||
return $ext;
|
||||
}
|
||||
} catch (Exception $e) {
|
||||
common_log(LOG_INFO, 'Problem when figuring out extension for mimetype: '._ve($e));
|
||||
@ -381,9 +394,9 @@ class File extends Managed_DataObject
|
||||
// If nothing else has given us a result, try to extract it from
|
||||
// the mimetype value (this turns .jpg to .jpeg for example...)
|
||||
$matches = array();
|
||||
// FIXME: try to build a regexp that will get jpeg from image/jpeg as well as json from application/jrd+json
|
||||
if (!preg_match('/\/([a-z0-9]+)/', mb_strtolower($mimetype), $matches)) {
|
||||
throw new Exception('Malformed mimetype: '.$mimetype);
|
||||
// Will get jpeg from image/jpeg as well as json from application/jrd+json
|
||||
if (!preg_match('/[\/+-\.]([a-z0-9]+)/', mb_strtolower($mimetype), $matches)) {
|
||||
throw new Exception("Malformed mimetype: {$mimetype}");
|
||||
}
|
||||
return mb_strtolower($matches[1]);
|
||||
}
|
||||
|
@ -273,10 +273,7 @@ $default =
|
||||
'show_html' => false, // show (filtered) text/html attachments (and oEmbed HTML etc.). Doesn't affect AJAX calls.
|
||||
'show_thumbs' => true, // show thumbnails in notice lists for uploaded images, and photos and videos linked remotely that provide oEmbed info
|
||||
'process_links' => true, // check linked resources for embeddable photos and videos; this will hit referenced external web sites when processing new messages.
|
||||
'extblacklist' => [
|
||||
'php' => 'phps', // this turns .php into .phps
|
||||
'exe' => false, // this would deny any uploads to keep the "exe" file extension
|
||||
],
|
||||
'extblacklist' => [],
|
||||
'memory_limit' => '1024M' // PHP's memory limit to use temporarily when handling images
|
||||
),
|
||||
'thumbnail' => [
|
||||
|
@ -32,12 +32,12 @@ defined('GNUSOCIAL') || die();
|
||||
define('GNUSOCIAL_ENGINE', 'GNU social');
|
||||
define('GNUSOCIAL_ENGINE_URL', 'https://www.gnu.org/software/social/');
|
||||
|
||||
define('GNUSOCIAL_BASE_VERSION', '1.21.3');
|
||||
define('GNUSOCIAL_BASE_VERSION', '1.22.0');
|
||||
define('GNUSOCIAL_LIFECYCLE', 'dev'); // 'dev', 'alpha[0-9]+', 'beta[0-9]+', 'rc[0-9]+', 'release'
|
||||
|
||||
define('GNUSOCIAL_VERSION', GNUSOCIAL_BASE_VERSION . '-' . GNUSOCIAL_LIFECYCLE);
|
||||
|
||||
define('GNUSOCIAL_CODENAME', 'The Invicta Crusade');
|
||||
define('GNUSOCIAL_CODENAME', 'Undecided');
|
||||
|
||||
define('AVATAR_PROFILE_SIZE', 96);
|
||||
define('AVATAR_STREAM_SIZE', 48);
|
||||
|
@ -351,6 +351,12 @@ class MediaFile
|
||||
File::respectsQuota($scoped, $_FILES[$param]['size']);
|
||||
}
|
||||
|
||||
// Gets a replacement extension if configured in the config, returns false if it's blocked
|
||||
$ext = File::getSafeExtension($_FILES[$param]['name']);
|
||||
if ($ext === false) {
|
||||
throw new ClientException(_('Blacklisted file extension.'));
|
||||
}
|
||||
|
||||
$mimetype = self::getUploadedMimeType($_FILES[$param]['tmp_name'], $_FILES[$param]['name']);
|
||||
$media = common_get_mime_media($mimetype);
|
||||
|
||||
@ -371,7 +377,7 @@ class MediaFile
|
||||
}
|
||||
|
||||
// New file name format
|
||||
$original_filename = bin2hex("{$basename}.{$ext}");
|
||||
$original_filename = bin2hex($basename);
|
||||
$filename = "{$original_filename}-{$filehash}";
|
||||
$filepath = File::path($filename);
|
||||
|
||||
@ -609,22 +615,20 @@ class MediaFile
|
||||
*/
|
||||
public static function getDisplayName(File $file) : string {
|
||||
// New file name format is "{bin2hex(original_name.ext)}-{$hash}"
|
||||
$ret = preg_match('/^([^\-]+)-.+$/', $file->filename, $matches);
|
||||
$ret = preg_match('/^([^\.-]+)-.+$/', $file->filename, $matches);
|
||||
// If there was an error in the match, something's wrong with some piece
|
||||
// of code (could be a file with utf8 chars in the name)
|
||||
$user_error_mesg = "Invalid file name ({$file->filename}).";
|
||||
$log_error_msg = "Invalid file name for File with id={$file->id} " .
|
||||
"({$file->filename}). Some plugin probably did something wrong.";
|
||||
$log_error_msg = "Invalid file name for File with id={$file->id} " .
|
||||
"({$file->filename}). Some plugin probably did something wrong.";
|
||||
|
||||
if ($ret === false) {
|
||||
common_log(LOG_ERR, $log_error_msg);
|
||||
throw new ServerException($user_error_msg);
|
||||
} elseif ($ret === 1) {
|
||||
$filename = hex2bin($matches[1]);
|
||||
} else {
|
||||
// The old file name format was "{hash}.{ext}"
|
||||
// This estracts the extension
|
||||
$ret = preg_match('/^[^\.]+\.(.+)$/', $file->filename, $matches);
|
||||
$ret = preg_match('/^.+?\.(.+)$/', $file->filename, $matches);
|
||||
if ($ret !== 1) {
|
||||
common_log(LOG_ERR, $log_error_msg);
|
||||
return _('Untitled attachment');
|
||||
|
Loading…
Reference in New Issue
Block a user