From 5cc3937b6bc38293ec921a5cf00018b48b668dc6 Mon Sep 17 00:00:00 2001
From: Patrick <pk@konstand.de>
Date: Wed, 20 Oct 2021 10:18:27 +0200
Subject: [PATCH] secure gallery upload

- add csrf token
- add random int to filenmae
- check for image file suffix
---
 acp/core/files.upload_gallery.php     | 43 ++++++++++++++++++++-------
 acp/templates/gallery_upload_form.tpl |  4 +--
 2 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/acp/core/files.upload_gallery.php b/acp/core/files.upload_gallery.php
index 3d0df7aa..d0367091 100644
--- a/acp/core/files.upload_gallery.php
+++ b/acp/core/files.upload_gallery.php
@@ -1,5 +1,21 @@
 <?php
 
+session_start();
+
+if($_SESSION['user_class'] != "administrator"){
+	header("location:../index.php");
+	die("PERMISSION DENIED!");
+}
+
+require '../../config.php';
+if(is_file('../../'.FC_CONTENT_DIR.'/config.php')) {
+	include '../../'.FC_CONTENT_DIR.'/config.php';
+}
+
+if($_POST['csrf_token'] !== $_SESSION['token']) {
+	die('Error: CSRF Token is invalid');
+}
+
 $year = date('Y',time());
 $gallery_id = 'gallery'. (int) $_REQUEST['gal'];
 $uploads_dir = '../../content/galleries/'.$year.'/'.$gallery_id;
@@ -20,19 +36,26 @@
 }
 
 if(array_key_exists('file',$_FILES) && $_FILES['file']['error'] == 0 ){
+	
 	$tmp_name = $_FILES["file"]["tmp_name"];
 	$timestring = microtime(true);
+	$random_int = random_int(0, 999);
 	      
-	$suffix = strrchr($_FILES["file"]["name"],".");
-	$org_name = $timestring . $suffix;
-	$img_name = $timestring."_img.jpg";
-	$tmb_name = $timestring."_tmb.jpg";
+	$suffix = substr(strrchr($_FILES["file"]["name"],"."),1);
+	$org_name = $timestring .'.'. $suffix;
+	$img_name = $timestring.$random_int."_img.jpg";
+	$tmb_name = $timestring.$random_int."_tmb.jpg";
+
+	if(!in_array($suffix, $fc_upload_img_types)) {
+		exit;
+	} else {
         
-	if(move_uploaded_file($tmp_name, "$uploads_dir/$org_name")) {
-		create_thumbs($uploads_dir,$org_name,$img_name, $max_width,$max_height,90);
-		create_thumbs($uploads_dir,$img_name,$tmb_name, $max_width_tmb,$max_height_tmb,80);
-		unlink("$uploads_dir/$org_name");
-		print ('Uploaded');
+		if(move_uploaded_file($tmp_name, "$uploads_dir/$org_name")) {
+			create_thumbs($uploads_dir,$org_name,$img_name, $max_width,$max_height,90);
+			create_thumbs($uploads_dir,$img_name,$tmb_name, $max_width_tmb,$max_height_tmb,80);
+			unlink("$uploads_dir/$org_name");
+			print ('Uploaded');
+		}
 	}
 }
 function create_thumbs($updir, $img, $name, $thumbnail_width, $thumbnail_height, $quality){
@@ -40,7 +63,7 @@ function create_thumbs($updir, $img, $name, $thumbnail_width, $thumbnail_height,
 	$original_width		= $arr_image_details[0];
 	$original_height	= $arr_image_details[1];
 	$a = $thumbnail_width / $thumbnail_height;
-  $b = $original_width / $original_height;
+	$b = $original_width / $original_height;
 	
 	
 	if ($a<$b) {
diff --git a/acp/templates/gallery_upload_form.tpl b/acp/templates/gallery_upload_form.tpl
index 99de9274..772a26b0 100644
--- a/acp/templates/gallery_upload_form.tpl
+++ b/acp/templates/gallery_upload_form.tpl
@@ -2,9 +2,8 @@
   <div class="modal-dialog modal-lg modal-dialog-centered" role="document">
     <div class="modal-content">
       <div class="modal-header">
-        <h5 class="modal-title">Upload into {post_id}</h5>
+        <h5 class="modal-title">Upload into Gallery ID #{post_id}</h5>
         <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close">
-          <span aria-hidden="true">&times;</span>
         </button>
       </div>
       <div class="modal-body">
@@ -26,6 +25,7 @@
 
 <form action="acp.php?tn=posts&sub=edit" method="POST" id="reload_form">
 	<input type="hidden" name="post_id" value="{post_id}">
+	<input type="hidden" name="csrf_token" value="{token}">
 </form>
 
 <script>