2005-04-10
andi
HÃ¥var Henriksen discovered the following security problem.
I just tried to upload a PHP file called "testjpg.php" on a private wiki I'm editing, and it wasn't stopped by the media upload script as it was supposed to. I was then able to execute the PHP script from the media directory.
I tried downloading the latest release from your website, and then installed it on my local PC. I got the same error.
The error seems to be on line 78 of the media.php file:
if(preg_match('/\\.'.$conf['uploadtypes'].'$/i',$fn)){
Grouping the file extension list by adding a couple of parentheses like this seems to fix it:
if(preg_match('/\\.('.$conf['uploadtypes'].')$/i',$fn)){
==Additional information==
Without the extra parentheses the regular expression would only check that the filename either contains .gif, jpg/jpeg, png, (...) tar/tar.gz, or *ends* with tgz. (Notice that it only checks for the dot before the gif extension, not any of the other ones) Grouping the alternations with parentheses around them would make the escaped dot (\\.) and the "ends with char" ($) apply to the whole file extension list, and not only the first and the last one. If you take a closer look at this, you'll see what I mean: '/\\.gif|jpe?g|png|zip|pdf|tar(\\.gz)?|tgz$/i'
(As you can see that without the parentheses, the only file names that wouldn't be approved is "testtgz.php", testgif.php" or any other file that doesn't contain one of the rest of the words from the alternation part of the regexp)