fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-02 01:52:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix RVE-2026-6 possible command injection via magick

Browse source
This commit is contained in:
Kijin Sung 2026-03-19 17:50:44 +09:00
parent 94008fbe9b
commit 4ee0699dea
2 changed files with 7 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/file/file.admin.controller.php
View file

@ -426,7 +426,7 @@ class FileAdminController extends File
// Resize the image using GD or ImageMagick. // Resize the image using GD or ImageMagick.
$config = FileModel::getFileConfig(); $config = FileModel::getFileConfig();
$result = FileHandler::createImageFile(FileHandler::getRealPath($file->uploaded_filename), $temp_filename, $width, $height, $format, 'fill', $quality); $result = FileHandler::createImageFile(FileHandler::getRealPath($file->uploaded_filename), $temp_filename, $width, $height, $format, 'fill', $quality);
if (!$result && !empty($config->magick_command)) if (!$result && !empty($config->magick_command) && Rhymix\Framework\Storage::isExecutable($config->magick_command))
{ {
$temp_dir = dirname($temp_filename); $temp_dir = dirname($temp_filename);
if (!Rhymix\Framework\Storage::isDirectory($temp_dir)) if (!Rhymix\Framework\Storage::isDirectory($temp_dir))
@ -434,7 +434,7 @@ class FileAdminController extends File
Rhymix\Framework\Storage::createDirectory($temp_dir); Rhymix\Framework\Storage::createDirectory($temp_dir);
} }
$command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [ $command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [
\RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command, (preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command,
escapeshellarg(FileHandler::getRealPath($file->uploaded_filename)), escapeshellarg(FileHandler::getRealPath($file->uploaded_filename)),
$width, $height, $quality, $width, $height, $quality,
'-auto-orient -strip', '-auto-orient -strip',

10
modules/file/file.controller.php
View file

@ -1162,9 +1162,9 @@ class FileController extends File
public function adjustUploadedImage($file_info, $config) public function adjustUploadedImage($file_info, $config)
{ {
// Get image information // Get image information
if (in_array($file_info['extension'], ['avif', 'heic', 'heif']) && !empty($config->magick_command)) if (in_array($file_info['extension'], ['avif', 'heic', 'heif']) && !empty($config->magick_command) && Rhymix\Framework\Storage::isExecutable($config->magick_command))
{ {
$command = \RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command; $command = (preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command;
$command .= ' identify ' . escapeshellarg($file_info['tmp_name']); $command .= ' identify ' . escapeshellarg($file_info['tmp_name']);
@exec($command, $output, $return_var); @exec($command, $output, $return_var);
if ($return_var === 0 && preg_match('/([A-Z]+) ([0-9]+)x([0-9]+)/', substr(array_last($output), strlen($file_info['tmp_name'])), $matches)) if ($return_var === 0 && preg_match('/([A-Z]+) ([0-9]+)x([0-9]+)/', substr(array_last($output), strlen($file_info['tmp_name'])), $matches))
@ -1356,7 +1356,7 @@ class FileController extends File
// Convert using magick // Convert using magick
$command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [ $command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [
\RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command, (preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command,
escapeshellarg($file_info['tmp_name']), escapeshellarg($file_info['tmp_name']),
$adjusted['width'], $adjusted['width'],
$adjusted['height'], $adjusted['height'],
@ -1374,10 +1374,10 @@ class FileController extends File
$result = FileHandler::createImageFile($file_info['tmp_name'], $output_name, $adjusted['width'], $adjusted['height'], $adjusted['type'], 'fill', $adjusted['quality'], $adjusted['rotate']); $result = FileHandler::createImageFile($file_info['tmp_name'], $output_name, $adjusted['width'], $adjusted['height'], $adjusted['type'], 'fill', $adjusted['quality'], $adjusted['rotate']);
// If the image cannot be resized using GD, try ImageMagick. // If the image cannot be resized using GD, try ImageMagick.
if (!$result && !empty($config->magick_command)) if (!$result && !empty($config->magick_command) && Rhymix\Framework\Storage::isExecutable($config->magick_command))
{ {
$command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [ $command = vsprintf('%s %s -resize %dx%d -quality %d %s %s %s', [
\RX_WINDOWS ? escapeshellarg($config->magick_command) : $config->magick_command, (preg_match('![^a-z0-9/._-]!', $config->magick_command) || \RX_WINDOWS) ? escapeshellarg($config->magick_command) : $config->magick_command,
escapeshellarg($file_info['tmp_name']), escapeshellarg($file_info['tmp_name']),
$adjusted['width'], $adjusted['width'],
$adjusted['height'], $adjusted['height'],