From 37945e5bd2284195a1a67e698e20e05ceb071156 Mon Sep 17 00:00:00 2001
From: Uma <uma.s@vtiger.com>
Date: Thu, 18 Jun 2020 12:46:59 +0530
Subject: [PATCH] Fixes disclosing of image geo-location and privacy data

---
 vtlib/Vtiger/Functions.php | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/vtlib/Vtiger/Functions.php b/vtlib/Vtiger/Functions.php
index 785d9efdd..ce63474f1 100644
--- a/vtlib/Vtiger/Functions.php
+++ b/vtlib/Vtiger/Functions.php
@@ -662,10 +662,18 @@ class Vtiger_Functions {
 		//metadata check
 		$shortTagSupported = ini_get('short_open_tag') ? true : false;
 		if ($saveimage == 'true') {
-			$exifdata = exif_read_data($file_details['tmp_name']);
-			if ($exifdata && !self::validateImageMetadata($exifdata, $shortTagSupported)) {
-				$saveimage = 'false';
-			}
+			$tmpFileName = $file_details['tmp_name'];
+			if($file_details['type'] == 'image/jpeg' || $file_details['type'] == 'image/tiff') {
+				$exifdata = @exif_read_data($file_details['tmp_name']);
+				if($exifdata && !self::validateImageMetadata($exifdata, $shortTagSupported)) {
+					$saveimage = 'false';
+                                }
+                                //131225968::remove sensitive information(like,GPS or camera information) from the image
+                                if(($saveimage == 'true' ) && ($file_details['type'] == 'image/jpeg' ) && extension_loaded('gd') && function_exists('gd_info')) {
+                                        $img = imagecreatefromjpeg($tmpFileName);
+                                        imagejpeg ($img, $tmpFileName);
+                                }
+				}
 		}
 
 		// Check for php code injection
-- 
GitLab