From b0200d4741a3852ac305cc3b20a4e22a680b8074 Mon Sep 17 00:00:00 2001
From: prasad <prasad@vtiger.com>
Date: Fri, 24 Jun 2016 15:57:36 +0530
Subject: [PATCH] Enhanced image metadata check for file uploads.

---
 vtlib/Vtiger/Functions.php | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/vtlib/Vtiger/Functions.php b/vtlib/Vtiger/Functions.php
index f0b1c6602..6b757bb1a 100644
--- a/vtlib/Vtiger/Functions.php
+++ b/vtlib/Vtiger/Functions.php
@@ -575,6 +575,21 @@ class Vtiger_Functions {
 		return $filepath;
 	}
 
+	static function validateImageMetadata($data) {
+		if (is_array($data)) {
+			foreach ($data as $key => $value) {
+				$ok = self::validateImageMetadata($value);
+				if (!$ok) return false;
+			}
+		} else {
+			if (stripos($data, "<?php")!== false ||
+				(stripos($data, "<?") !== false && preg_match("/\)[\s]*;/", $data)) {
+				return false;
+			}
+		}
+		return true;
+	}
+
 	static function validateImage($file_details) {
 		global $app_strings;
 		$allowedImageFormats = array('jpeg', 'png', 'jpg', 'pjpeg', 'x-png', 'gif', 'bmp');
@@ -598,10 +613,20 @@ class Vtiger_Functions {
 			$saveimage = 'false';
 		}
 
+		//metadata check
+		if ($saveimage == 'true') {
+			$exifdata = exif_read_data($file_details['tmp_name']);
+			if ($exifdata && !self::validateImageMetadata($exifdata)) {
+				$saveimage = 'false';
+			}
+		}
+
 		// Check for php code injection
-		$imageContents = file_get_contents($file_details['tmp_name']);
-		if (preg_match('/(<\?php?(.*?))/i', $imageContents) == 1) {
-			$saveimage = 'false';
+		if ($saveimage == 'true') {
+			$imageContents = file_get_contents($file_details['tmp_name']);
+			if (preg_match('/(<\?php?(.*?))/i', $imageContents) == 1) {
+				$saveimage = 'false';
+			}
 		}
 		return $saveimage;
 	}
-- 
GitLab