fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-02 01:52:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix RVE-2026-6 possible command injection via magick

Browse source
This commit is contained in:
Kijin Sung 2026-03-19 17:50:44 +09:00
parent 94008fbe9b
commit 4ee0699dea
2 changed files with 7 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

10
modules/file/file.controller.php
View file

@ -1162,9 +1162,9 @@ class FileController extends File
public function adjustUploadedImage($file_info, $config)
{
// Get image information
if (in_array($file_info['extension'], ['avif', 'heic', 'heif']) && !empty($config->magick_command))
if (in_array($file_info['extension'], ['avif', 'heic', 'heif']) && !empty($config->magick_command) && Rhymix\Framework\Storage::isExecutable($config->magick_command))
{
$command = \RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command;
$command = (preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command;
$command .= ' identify ' . escapeshellarg($file_info['tmp_name']);
@exec($command, $output, $return_var);
if ($return_var === 0 && preg_match('/([A-Z]+) ([0-9]+)x([0-9]+)/', substr(array_last($output), strlen($file_info['tmp_name'])), $matches))
@ -1356,7 +1356,7 @@ class FileController extends File
// Convert using magick
$command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [
\RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command,
(preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command,
escapeshellarg($file_info['tmp_name']),
$adjusted['width'],
$adjusted['height'],
@ -1374,10 +1374,10 @@ class FileController extends File
$result = FileHandler::createImageFile($file_info['tmp_name'], $output_name, $adjusted['width'], $adjusted['height'], $adjusted['type'], 'fill', $adjusted['quality'], $adjusted['rotate']);
// If the image cannot be resized using GD, try ImageMagick.
if (!$result && !empty($config->magick_command))
if (!$result && !empty($config->magick_command) && Rhymix\Framework\Storage::isExecutable($config->magick_command))
{
$command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [
\RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command,
(preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command,
escapeshellarg($file_info['tmp_name']),
$adjusted['width'],
$adjusted['height'],