sec(Products) XSS based on XML file upload

include/utils/CommonUtils.php

@@ -2348,7 +2348,8 @@ function validateImageFile($file_details) {
 		}
 		$filetype = strtolower($filetype);
 	}
-	if (in_array($filetype, ['jpeg', 'png', 'jpg', 'pjpeg', 'x-png', 'gif', 'bmp', 'svg', 'svg+xml'])) {
+	if (in_array($filetype, ['jpeg', 'png', 'jpg', 'pjpeg', 'x-png', 'gif', 'bmp', 'svg', 'svg+xml', 'xml', 'text/xml'])) {
+		// we add XML to the array in order to apply validation rules to that type as it can contain executable code
 		$saveimage = 'true';
 	} else {
 		$saveimage = 'false';
@@ -2432,6 +2433,7 @@ function validateImageContents($filename) {
 				|| preg_match('/(<?script(.*?)language(.*?)=(.*?)"(.*?)php(.*?)"(.*?))/si', $contents) === 1
 				|| preg_match('/(<script(.*?)language(.*?)=(.*?)"(.*?)javascript(.*?)"(.*?))/si', $contents) === 1
 				|| preg_match('/(<script(.*?)type(.*?)=(.*?)"(.*?)javascript(.*?)"(.*?))/si', $contents) === 1
+				|| preg_match('/<\s*html\s*:\s*script\s*>/i', $contents) === 1 // XML
 				|| preg_match('/<\s*script\s*>/i', $contents) === 1
 				|| stripos($contents, '<?=') !== false
 				|| stripos($contents, '<%=') !== false

include/utils/DetailViewUtils.php

@@ -510,6 +510,8 @@ function getDetailViewOutputHtml($uitype, $fieldname, $fieldlabel, $col_fields,
 
 				$imagepath_array[] = $adb->query_result($result_image, $image_iter, 'path');
 			}
+			global $site_URL;
+			$baseimgurl = $site_URL.'/index.php?module=Utilities&action=UtilitiesAjax&file=ExecuteFunctions&functiontocall=downloadfile&entityid=';
 			if (count($image_array) > 1) {
 				if (count($image_array) < 4) {
 					$sides = count($image_array) * 2;
@@ -522,14 +524,14 @@ function getDetailViewOutputHtml($uitype, $fieldname, $fieldlabel, $col_fields,
 					</div><script>var Car_NoOfSides=' . $sides . '; Car_Image_Sources=new Array(';
 
 				for ($image_iter = 0, $image_iterMax = count($image_array); $image_iter < $image_iterMax; $image_iter++) {
-					$images[] = '"' . $imagepath_array[$image_iter] . $image_id_array[$image_iter] . "_" . $image_array[$image_iter] . '","'
-						. $imagepath_array[$image_iter] . $image_id_array[$image_iter] . "_" . $image_array[$image_iter] . '"';
+					$imgurl = $baseimgurl.((int)$image_id_array[$image_iter]-1).'&fileid='.$image_id_array[$image_iter];
+					$images[] = '"' . $imgurl . '","' . $imgurl . '"';
 				}
 				$image_lists .= implode(',', $images) . ');</script>';
 				$image_lists .= '<script type="text/javascript" src="modules/Products/Productsslide.js"></script><script type="text/javascript">Carousel();</script>';
 				$label_fld[] = $image_lists;
 			} elseif (count($image_array) == 1) {
-				$label_fld[] = '<img src="' . $imagepath_array[0] . $image_id_array[0] .'_'. $image_array[0] . '" border="0" style="max-width:300px; max-height:300px">';
+				$label_fld[]='<img src="'.$baseimgurl.((int)$image_id_array[0]-1).'&fileid='.$image_id_array[0].'" border="0" style="max-width:300px; max-height:300px">';
 			} else {
 				$label_fld[] = '';
 			}

modules/Products/Products.php

@@ -271,6 +271,9 @@ public function insertIntoAttachment($id, $module, $direct_import = false) {
 				}
 				$files['original_name'] = str_replace('"', '', $files['original_name']);
 				$file_saved = $this->uploadAndSaveFile($id, $module, $files, '', $direct_import, 'imagename');
+				if (!$file_saved) {
+					return false;
+				}
 			}
 			unset($_FILES[$fileindex]);
 		}
@@ -296,6 +299,7 @@ public function insertIntoAttachment($id, $module, $direct_import = false) {
 			parent::insertIntoAttachment($id, $module, $direct_import);
 		}
 		$log->debug('< insertIntoAttachment');
+		return true;
 	}
 
 	/**	function used to get the list of leads which are related to the product

modules/Products/UploadImage.php

@@ -21,6 +21,11 @@
 	$record = vtlib_purify($_REQUEST['record']);
 	$product = CRMEntity::getInstance('Products');
 	$product->retrieve_entity_info($record, 'Products');
-	$product->insertIntoAttachment($record, 'Products');
+	$file_saved = $product->insertIntoAttachment($record, 'Products');
+	if (!$file_saved) {
+		http_response_code(401);
+		header('Content-Type: text/plain; charset=utf-8');
+		echo getTranslatedString('LBL_IMAGESECURITY_ERROR');
+	}
 }
 ?>