Merge pull request from GHSA-4j97-6w6q-gxjx

Add file type blacklist and prevent execution of uploaded files
Alanaktion · Apr 20, 2020 · b49d642 · b49d642
2 parents 10dba6d + 64ec6aa
commit b49d642
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 21 deletions.
diff --git a/app/controller/issues.php b/app/controller/issues.php
@@ -1187,6 +1187,14 @@ public function upload($f3)
         $orig_name = preg_replace("/[^A-Z0-9._-]/i", "_", $_FILES['attachment']['name']);
         $_FILES['attachment']['name'] = time() . "_" . $orig_name;
 
+        // Blacklist certain file types
+        if ($f3->get('security.file_blacklist')) {
+            if (preg_match($f3->get('security.file_blacklist'), $orig_name)) {
+                $f3->error(415);
+                return;
+            }
+        }
+
         $i = 0;
         $parts = pathinfo($_FILES['attachment']['name']);
         while (file_exists($f3->get("UPLOADS") . $_FILES['attachment']['name'])) {

diff --git a/app/controller/user.php b/app/controller/user.php
@@ -261,7 +261,7 @@ public function avatar($f3)
         $finfo = finfo_open(FILEINFO_MIME_TYPE);
         $allowedTypes = ['image/jpeg', 'image/gif', 'image/png', 'image/bmp'];
         if (!in_array(finfo_file($finfo, $_FILES['avatar']['tmp_name']), $allowedTypes)) {
-            $f3->error(400);
+            $f3->error(415);
             return;
         }
         finfo_close($finfo);

diff --git a/db/20.04.20.sql b/db/20.04.20.sql
@@ -0,0 +1 @@
+INSERT INTO `config` (`attribute`,`value`) VALUES ('security.file_blacklist', '/\.(ph(p([3457s]|\-s)?|t|tml)|aspx?|shtml|exe|dll)$/i');
diff --git a/db/database.sql b/db/database.sql
@@ -323,4 +323,5 @@ CREATE TABLE `config` (
 );
 
 INSERT INTO `config` (`attribute`,`value`) VALUES ('security.reset_ttl', '86400');
-INSERT INTO `config` (`attribute`, `value`) VALUES ('version', '18.02.19');
+INSERT INTO `config` (`attribute`,`value`) VALUES ('security.file_blacklist', '/\.(ph(p([3457s]|\-s)?|t|tml)|aspx?|shtml|exe|dll)$/i');
+INSERT INTO `config` (`attribute`, `value`) VALUES ('version', '20.04.20');
diff --git a/nginx-example.conf b/nginx-example.conf
@@ -1,6 +1,6 @@
 server {
 	listen 80;
-	#listen 443 ssl;
+	#listen 443 ssl http2;
 
 	#ssl_certificate /etc/nginx/ssl/phproject.crt;
 	#ssl_certificate_key /etc/nginx/ssl/phproject.key;
@@ -15,16 +15,14 @@ server {
 		try_files $uri $uri/ /index.php?$args;
 	}
 
-	# Disable logging of ping requests
-	location /ping {
-		access_log off;
-		try_files $uri $uri/ /index.php?$args;
-		location ~ \.php$ {
-			fastcgi_split_path_info ^(.+\.php)(/.+)$;
-			fastcgi_pass 127.0.0.1:9000;
-			fastcgi_index index.php;
-			include fastcgi_params;
-		}
+	location ~ ^/app/(controller|dict|helper|model|view) {
+		deny all;
+	}
+	location ~ ^/uploads/ {
+		deny all;
+	}
+	location ~ /\.ht {
+		deny all;
 	}
 
 	location ~ \.php$ {
@@ -34,13 +32,5 @@ server {
 		include fastcgi_params;
 	}
 
-	location ~ ^/app/(controller|dict|helper|model|view) {
-		deny all;
-	}
-
-	location ~ /\.ht {
-		deny all;
-	}
-
 	client_max_body_size 64M;
 }
diff --git a/uploads/.gitignore b/uploads/.gitignore
@@ -1 +1,2 @@
 *
+!.htaccess
diff --git a/uploads/.htaccess b/uploads/.htaccess
@@ -0,0 +1 @@
+Deny from all