From 4ee0699dea8abadd3df564e537f1c22c6b3b6108 Mon Sep 17 00:00:00 2001 From: Kijin Sung Date: Thu, 19 Mar 2026 17:50:44 +0900 Subject: [PATCH] Fix RVE-2026-6 possible command injection via magick --- modules/file/file.admin.controller.php | 4 ++-- modules/file/file.controller.php | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/file/file.admin.controller.php b/modules/file/file.admin.controller.php index 3cb11c989..9229e2ff0 100644 --- a/modules/file/file.admin.controller.php +++ b/modules/file/file.admin.controller.php @@ -426,7 +426,7 @@ class FileAdminController extends File // Resize the image using GD or ImageMagick. $config = FileModel::getFileConfig(); $result = FileHandler::createImageFile(FileHandler::getRealPath($file->uploaded_filename), $temp_filename, $width, $height, $format, 'fill', $quality); - if (!$result && !empty($config->magick_command)) + if (!$result && !empty($config->magick_command) && Rhymix\Framework\Storage::isExecutable($config->magick_command)) { $temp_dir = dirname($temp_filename); if (!Rhymix\Framework\Storage::isDirectory($temp_dir)) @@ -434,7 +434,7 @@ class FileAdminController extends File Rhymix\Framework\Storage::createDirectory($temp_dir); } $command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [ - \RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command, + (preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command, escapeshellarg(FileHandler::getRealPath($file->uploaded_filename)), $width, $height, $quality, '-auto-orient -strip', diff --git a/modules/file/file.controller.php b/modules/file/file.controller.php index 81d1419db..d414635c1 100644 --- a/modules/file/file.controller.php +++ b/modules/file/file.controller.php @@ -1162,9 +1162,9 @@ class FileController extends File public function adjustUploadedImage($file_info, $config) { // Get image information - if (in_array($file_info['extension'], ['avif', 'heic', 'heif']) && !empty($config->magick_command)) + if (in_array($file_info['extension'], ['avif', 'heic', 'heif']) && !empty($config->magick_command) && Rhymix\Framework\Storage::isExecutable($config->magick_command)) { - $command = \RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command; + $command = (preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command; $command .= ' identify ' . escapeshellarg($file_info['tmp_name']); @exec($command, $output, $return_var); if ($return_var === 0 && preg_match('/([A-Z]+) ([0-9]+)x([0-9]+)/', substr(array_last($output), strlen($file_info['tmp_name'])), $matches)) @@ -1356,7 +1356,7 @@ class FileController extends File // Convert using magick $command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [ - \RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command, + (preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command, escapeshellarg($file_info['tmp_name']), $adjusted['width'], $adjusted['height'], @@ -1374,10 +1374,10 @@ class FileController extends File $result = FileHandler::createImageFile($file_info['tmp_name'], $output_name, $adjusted['width'], $adjusted['height'], $adjusted['type'], 'fill', $adjusted['quality'], $adjusted['rotate']); // If the image cannot be resized using GD, try ImageMagick. - if (!$result && !empty($config->magick_command)) + if (!$result && !empty($config->magick_command) && Rhymix\Framework\Storage::isExecutable($config->magick_command)) { $command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [ - \RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command, + (preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command, escapeshellarg($file_info['tmp_name']), $adjusted['width'], $adjusted['height'],