diff --git a/vtlib/Vtiger/Functions.php b/vtlib/Vtiger/Functions.php
index 67d11f7d647295710420e2b516c4fe8fb9b981e6..c95cc15b8272ce32c85f118afa9fc51fd071f45b 100644
--- a/vtlib/Vtiger/Functions.php
+++ b/vtlib/Vtiger/Functions.php
@@ -575,6 +575,21 @@ class Vtiger_Functions {
return $filepath;
}
+ static function validateImageMetadata($data) {
+ if (is_array($data)) {
+ foreach ($data as $key => $value) {
+ $ok = self::validateImageMetadata($value);
+ if (!$ok) return false;
+ }
+ } else {
+ if (stripos($data, "<?php")!== false ||
+ (stripos($data, "<?") !== false && preg_match("/\)[\s]*;/", $data))) {
+ return false;
+ }
+ }
+ return true;
+ }
+
static function validateImage($file_details) {
global $app_strings;
$allowedImageFormats = array('jpeg', 'png', 'jpg', 'pjpeg', 'x-png', 'gif', 'bmp');
@@ -598,10 +613,20 @@ class Vtiger_Functions {
$saveimage = 'false';
}
+ //metadata check
+ if ($saveimage == 'true') {
+ $exifdata = exif_read_data($file_details['tmp_name']);
+ if ($exifdata && !self::validateImageMetadata($exifdata)) {
+ $saveimage = 'false';
+ }
+ }
+
// Check for php code injection
- $imageContents = file_get_contents($file_details['tmp_name']);
- if (preg_match('/(<\?php?(.*?))/i', $imageContents) == 1) {
- $saveimage = 'false';
+ if ($saveimage == 'true') {
+ $imageContents = file_get_contents($file_details['tmp_name']);
+ if (preg_match('/(<\?php?(.*?))/i', $imageContents) == 1) {
+ $saveimage = 'false';
+ }
}
return $saveimage;
}
@@ -964,11 +989,11 @@ class Vtiger_Functions {
* @param $claimedMime Array of bad file extenstions
*/
static function verifyClaimedMIME($targetFile,$claimedMime) {
- $fileMimeContentType= self::mime_content_type($targetFile);
- if (in_array(strtolower($fileMimeContentType), $claimedMime)) {
- return false;
- }
- return true;
+ $fileMimeContentType= self::mime_content_type($targetFile);
+ if (in_array(strtolower($fileMimeContentType), $claimedMime)) {
+ return false;
+ }
+ return true;
}
/*