diff options
author | Mike Macgirvin <mike@macgirvin.com> | 2018-10-31 15:56:08 +1100 |
---|---|---|
committer | Mike Macgirvin <mike@macgirvin.com> | 2018-10-31 15:56:08 +1100 |
commit | 7e1f431eca7a8aa68fc0badfaa88e88de3ba094c (patch) | |
tree | 16beba352cd4ace4aa6eb13c7f9c1c82c92013b4 | |
parent | 70c55da1df69d90dcbeb5a78c994b23a8456bfc9 (diff) | |
download | volse-hubzilla-7e1f431eca7a8aa68fc0badfaa88e88de3ba094c.tar.gz volse-hubzilla-7e1f431eca7a8aa68fc0badfaa88e88de3ba094c.tar.bz2 volse-hubzilla-7e1f431eca7a8aa68fc0badfaa88e88de3ba094c.zip |
yet another blueimp vulnerability. Move to composer.
-rw-r--r-- | Zotlabs/Module/Photos.php | 6 | ||||
-rw-r--r-- | composer.json | 3 | ||||
-rw-r--r-- | composer.lock | 57 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/.gitignore (renamed from library/blueimp_upload/.gitignore) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/.jshintrc (renamed from library/blueimp_upload/.jshintrc) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/.npmignore (renamed from library/blueimp_upload/.npmignore) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/CONTRIBUTING.md (renamed from library/blueimp_upload/CONTRIBUTING.md) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/LICENSE.txt (renamed from library/blueimp_upload/LICENSE.txt) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/README.md (renamed from library/blueimp_upload/README.md) | 18 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/SECURITY.md | 133 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/VULNERABILITIES.md | 65 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/angularjs.html (renamed from library/blueimp_upload/angularjs.html) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/basic-plus.html (renamed from library/blueimp_upload/basic-plus.html) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/basic.html (renamed from library/blueimp_upload/basic.html) | 0 | ||||
-rwxr-xr-x | vendor/blueimp/jquery-file-upload/bower-version-update.js (renamed from library/blueimp_upload/bower-version-update.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/bower.json (renamed from library/blueimp_upload/bower.json) | 2 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/composer.json | 39 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/cors/postmessage.html (renamed from library/blueimp_upload/cors/postmessage.html) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/cors/result.html (renamed from library/blueimp_upload/cors/result.html) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/css/jquery-ui-demo-ie8.css (renamed from library/blueimp_upload/css/jquery-ui-demo-ie8.css) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/css/jquery-ui-demo.css (renamed from library/blueimp_upload/css/jquery-ui-demo.css) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/css/jquery.fileupload-noscript.css (renamed from library/blueimp_upload/css/jquery.fileupload-noscript.css) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/css/jquery.fileupload-ui-noscript.css (renamed from library/blueimp_upload/css/jquery.fileupload-ui-noscript.css) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/css/jquery.fileupload-ui.css (renamed from library/blueimp_upload/css/jquery.fileupload-ui.css) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/css/jquery.fileupload.css (renamed from library/blueimp_upload/css/jquery.fileupload.css) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/css/style.css (renamed from library/blueimp_upload/css/style.css) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/img/loading.gif (renamed from library/blueimp_upload/img/loading.gif) | bin | 3897 -> 3897 bytes | |||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/img/progressbar.gif (renamed from library/blueimp_upload/img/progressbar.gif) | bin | 3323 -> 3323 bytes | |||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/index.html (renamed from library/blueimp_upload/index.html) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/jquery-ui.html (renamed from library/blueimp_upload/jquery-ui.html) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/app.js (renamed from library/blueimp_upload/js/app.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/cors/jquery.postmessage-transport.js (renamed from library/blueimp_upload/js/cors/jquery.postmessage-transport.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/cors/jquery.xdr-transport.js (renamed from library/blueimp_upload/js/cors/jquery.xdr-transport.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.fileupload-angular.js (renamed from library/blueimp_upload/js/jquery.fileupload-angular.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.fileupload-audio.js (renamed from library/blueimp_upload/js/jquery.fileupload-audio.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.fileupload-image.js (renamed from library/blueimp_upload/js/jquery.fileupload-image.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.fileupload-jquery-ui.js (renamed from library/blueimp_upload/js/jquery.fileupload-jquery-ui.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.fileupload-process.js (renamed from library/blueimp_upload/js/jquery.fileupload-process.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.fileupload-ui.js (renamed from library/blueimp_upload/js/jquery.fileupload-ui.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.fileupload-validate.js (renamed from library/blueimp_upload/js/jquery.fileupload-validate.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.fileupload-video.js (renamed from library/blueimp_upload/js/jquery.fileupload-video.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.fileupload.js (renamed from library/blueimp_upload/js/jquery.fileupload.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/jquery.iframe-transport.js (renamed from library/blueimp_upload/js/jquery.iframe-transport.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/main.js (renamed from library/blueimp_upload/js/main.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/js/vendor/jquery.ui.widget.js (renamed from library/blueimp_upload/js/vendor/jquery.ui.widget.js) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/package.json (renamed from library/blueimp_upload/package.json) | 2 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/gae-go/app.yaml (renamed from library/blueimp_upload/server/gae-go/app.yaml) | 2 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/gae-go/main.go (renamed from library/blueimp_upload/server/gae-go/app/main.go) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/gae-go/static/robots.txt (renamed from library/blueimp_upload/server/gae-go/static/robots.txt) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/gae-python/app.yaml (renamed from library/blueimp_upload/server/gae-python/app.yaml) | 2 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/gae-python/main.py (renamed from library/blueimp_upload/server/gae-python/main.py) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/gae-python/static/robots.txt (renamed from library/blueimp_upload/server/gae-python/static/robots.txt) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/php/Dockerfile (renamed from library/blueimp_upload/server/php/Dockerfile) | 0 | ||||
-rwxr-xr-x | vendor/blueimp/jquery-file-upload/server/php/UploadHandler.php (renamed from library/blueimp_upload/server/php/UploadHandler.php) | 82 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/php/docker-compose.yml (renamed from library/blueimp_upload/server/php/docker-compose.yml) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/php/files/.gitignore (renamed from library/blueimp_upload/server/php/files/.gitignore) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/php/files/.htaccess (renamed from library/blueimp_upload/server/php/files/.htaccess) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/server/php/index.php | 15 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/test/index.html (renamed from library/blueimp_upload/test/index.html) | 0 | ||||
-rw-r--r-- | vendor/blueimp/jquery-file-upload/test/test.js (renamed from library/blueimp_upload/test/test.js) | 0 | ||||
-rw-r--r-- | vendor/composer/LICENSE | 69 | ||||
-rw-r--r-- | vendor/composer/autoload_classmap.php | 1 | ||||
-rw-r--r-- | vendor/composer/autoload_static.php | 1 | ||||
-rw-r--r-- | vendor/composer/installed.json | 57 | ||||
-rw-r--r-- | view/tpl/cloud.tpl | 6 | ||||
-rwxr-xr-x | view/tpl/jot-header.tpl | 6 | ||||
-rwxr-xr-x | view/tpl/msg-header.tpl | 6 |
67 files changed, 509 insertions, 63 deletions
diff --git a/Zotlabs/Module/Photos.php b/Zotlabs/Module/Photos.php index f97f31ff7..78bfb1f09 100644 --- a/Zotlabs/Module/Photos.php +++ b/Zotlabs/Module/Photos.php @@ -612,9 +612,9 @@ class Photos extends \Zotlabs\Web\Controller { nav_set_selected('Photos'); - $o = '<script src="library/blueimp_upload/js/vendor/jquery.ui.widget.js"></script> - <script src="library/blueimp_upload/js/jquery.iframe-transport.js"></script> - <script src="library/blueimp_upload/js/jquery.fileupload.js"></script>'; + $o = '<script src="vendor/blueimp/jquery-file-upload/js/vendor/jquery.ui.widget.js"></script> + <script src="vendor/blueimp/jquery-file-upload/js/jquery.iframe-transport.js"></script> + <script src="vendor/blueimp/jquery-file-upload/js/jquery.fileupload.js"></script>'; $o .= "<script> var profile_uid = " . \App::$profile['profile_uid'] diff --git a/composer.json b/composer.json index b2aec5332..f117cc3b1 100644 --- a/composer.json +++ b/composer.json @@ -39,7 +39,8 @@ "lukasreschke/id3parser": "^0.0.1", "smarty/smarty": "~3.1", "ramsey/uuid": "^3.8", - "twbs/bootstrap": "4.1.3" + "twbs/bootstrap": "4.1.3", + "blueimp/jquery-file-upload": "^9.25" }, "require-dev" : { "phpunit/phpunit" : "@stable", diff --git a/composer.lock b/composer.lock index edeba994d..d7e8d11f6 100644 --- a/composer.lock +++ b/composer.lock @@ -4,9 +4,64 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "b7862124a9afe837c7eef8ee66f02ff4", + "content-hash": "63d0e52cc07f8113059ec30d3637b850", "packages": [ { + "name": "blueimp/jquery-file-upload", + "version": "v9.25.1", + "source": { + "type": "git", + "url": "https://github.com/vkhramtsov/jQuery-File-Upload.git", + "reference": "28891f9b2bc339bcc1ca8d548e5401e8563bf04b" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/vkhramtsov/jQuery-File-Upload/zipball/28891f9b2bc339bcc1ca8d548e5401e8563bf04b", + "reference": "28891f9b2bc339bcc1ca8d548e5401e8563bf04b", + "shasum": "" + }, + "type": "library", + "autoload": { + "classmap": [ + "server/php/UploadHandler.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Sebastian Tschan", + "homepage": "https://blueimp.net" + } + ], + "description": "File Upload widget for jQuery.", + "homepage": "https://github.com/blueimp/jQuery-File-Upload", + "keywords": [ + "bootstrap", + "chunk", + "cross-domain", + "cross-site", + "drag", + "drop", + "file", + "gae", + "go", + "jquery", + "multiple", + "php", + "preview", + "progress", + "python", + "resume", + "selection", + "upload", + "widget" + ], + "time": "2018-10-26T07:21:48+00:00" + }, + { "name": "bshaffer/oauth2-server-php", "version": "v1.10.0", "source": { diff --git a/library/blueimp_upload/.gitignore b/vendor/blueimp/jquery-file-upload/.gitignore index 29a41a8c4..29a41a8c4 100644 --- a/library/blueimp_upload/.gitignore +++ b/vendor/blueimp/jquery-file-upload/.gitignore diff --git a/library/blueimp_upload/.jshintrc b/vendor/blueimp/jquery-file-upload/.jshintrc index 4ad82e664..4ad82e664 100644 --- a/library/blueimp_upload/.jshintrc +++ b/vendor/blueimp/jquery-file-upload/.jshintrc diff --git a/library/blueimp_upload/.npmignore b/vendor/blueimp/jquery-file-upload/.npmignore index 0530f5dbd..0530f5dbd 100644 --- a/library/blueimp_upload/.npmignore +++ b/vendor/blueimp/jquery-file-upload/.npmignore diff --git a/library/blueimp_upload/CONTRIBUTING.md b/vendor/blueimp/jquery-file-upload/CONTRIBUTING.md index e182f9b37..e182f9b37 100644 --- a/library/blueimp_upload/CONTRIBUTING.md +++ b/vendor/blueimp/jquery-file-upload/CONTRIBUTING.md diff --git a/library/blueimp_upload/LICENSE.txt b/vendor/blueimp/jquery-file-upload/LICENSE.txt index 87a644638..87a644638 100644 --- a/library/blueimp_upload/LICENSE.txt +++ b/vendor/blueimp/jquery-file-upload/LICENSE.txt diff --git a/library/blueimp_upload/README.md b/vendor/blueimp/jquery-file-upload/README.md index 76bdf89d5..d2f104d5c 100644 --- a/library/blueimp_upload/README.md +++ b/vendor/blueimp/jquery-file-upload/README.md @@ -1,12 +1,22 @@ # jQuery File Upload Plugin -## Demo -[Demo File Upload](https://blueimp.github.io/jQuery-File-Upload/) - ## Description File Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads. +## Demo +[Demo File Upload](https://blueimp.github.io/jQuery-File-Upload/) + +## ⚠️ Security Notice +Security related releases: + +* [v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1) Mitigates some [Potential vulnerabilities with PHP+ImageMagick](VULNERABILITIES.md#potential-vulnerabilities-with-php+imagemagick). +* [v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1) Fixes a [Remote code execution vulnerability in the PHP component](VULNERABILITIES.md#remote-code-execution-vulnerability-in-the-php-component). +* v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1) Fixes an [Open redirect vulnerability in the GAE components](VULNERABILITIES.md#open-redirect-vulnerability-in-the-gae-components). +* Commit [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a) (*fixed in all tagged releases*) Fixes a [Cross-site scripting vulnerability in the Iframe Transport](VULNERABILITIES.md#cross-site-scripting-vulnerability-in-the-iframe-transport). + +Please read the [SECURITY](SECURITY.md) document for instructions on how to securely configure your Webserver for file uploads. + ## Setup * [How to setup the plugin on your website](https://github.com/blueimp/jQuery-File-Upload/wiki/Setup) * [How to use only the basic plugin (minimal setup guide).](https://github.com/blueimp/jQuery-File-Upload/wiki/Basic-plugin) @@ -15,7 +25,7 @@ Supports cross-domain, chunked and resumable file uploads and client-side image * **Multiple file upload:** Allows to select multiple files at once and upload them simultaneously. * **Drag & Drop support:** - Allows to upload files by dragging them from your desktop or filemanager and dropping them on your browser window. + Allows to upload files by dragging them from your desktop or file manager and dropping them on your browser window. * **Upload progress bar:** Shows a progress bar indicating the upload progress for individual files and for all uploads combined. * **Cancelable uploads:** diff --git a/vendor/blueimp/jquery-file-upload/SECURITY.md b/vendor/blueimp/jquery-file-upload/SECURITY.md new file mode 100644 index 000000000..db58f7dd7 --- /dev/null +++ b/vendor/blueimp/jquery-file-upload/SECURITY.md @@ -0,0 +1,133 @@ +# File Upload Security +For an in-depth understanding of the potential security risks of providing file uploads and possible mitigations, please refer to the [OWASP - Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) documentation. + +To securely setup the project to serve uploaded files, please refer to the sample [Secure file upload serving configurations](#secure-file-upload-serving-configurations). + +To mitigate potential vulnerabilities in image processing libraries, please refer to the [Secure image processing configurations](#secure-image-processing-configurations). + +By default, all sample upload handlers allow only upload of image files, which mitigates some attack vectors, but should not be relied on as the only protection. + +Please also have a look at the [list of fixed vulnerabilities](VULNERABILITIES.md) in jQuery File Upload, which relates mostly to the sample server-side upload handlers and how they have been configured. + +## Purpose of this project +Please note that this project is not a complete file management product, but foremost a client-side file upload library for [jQuery](https://jquery.com/). +The server-side sample upload handlers are just examples to demonstrate the client-side file upload functionality. + +To make this very clear, there is **no user authentication** by default: +* **everyone can upload files** +* **everyone can delete uploaded files** + +In some cases this can be acceptable, but for most projects you will want to extend the sample upload handlers to integrate user authentication, or implement your own. + +It is also up to you to configure your Webserver to securely serve the uploaded files, e.g. using the [sample server configurations](#secure-file-upload-serving-configurations). + +## Mitigations against file upload risks + +### Prevent code execution on the server +To prevent execution of scripts or binaries on server-side, the upload directory must be configured to not execute files in the upload directory (e.g. `server/php/files` as the default for the PHP upload handler) and only treat uploaded files as static content. + +The recommended way to do this is to configure the upload directory path to point outside of the web application root. +Then the Webserver can be configured to serve files from the upload directory with their default static files handler only. + +Limiting file uploads to a whitelist of safe file types (e.g. image files) also mitigates this issue, but should not be the only protection. + +### Prevent code execution in the browser +To prevent execution of scripts on client-side, the following headers must +be sent when delivering generic uploaded files to the client: + +``` +Content-Type: application/octet-stream +X-Content-Type-Options: nosniff +``` + +The `Content-Type: application/octet-stream` header instructs browsers to display a download dialog instead of parsing it and possibly executing script content e.g. in HTML files. + +The `X-Content-Type-Options: nosniff` header prevents browsers to try to detect the file mime type despite the given content-type header. + +For known safe files, the content-type header can be adjusted using a **whitelist**, e.g. sending `Content-Type: image/png` for PNG files. + +### Prevent distribution of malware +To prevent attackers from uploading and distributing malware (e.g. computer viruses), it is recommended to limit file uploads only to a whitelist of safe file types. + +Please note that the detection of file types in the sample file upload handlers is based on the file extension and not the actual file content. This makes it still possible for attackers to upload malware by giving their files an image file extension, but should prevent automatic execution on client computers when opening those files. + +It does not protect at all from exploiting vulnerabilities in image display programs, nor from users renaming file extensions to inadvertently execute the contained malicious code. + +## Secure file upload serving configurations +The following configurations serve uploaded files as static files with the proper headers as [mitigation against file upload risks](#mitigations-against-file-upload-risks). +Please do not simply copy&paste these configurations, but make sure you understand what they are doing and that you have implemented them correctly. + +> Always test your own setup and make sure that it is secure! + +e.g. try uploading PHP scripts (as "example.php", "example.php.png" and "example.png") to see if they get executed by your Webserver. + +### Apache config +Add the following directive to the Apache config, replacing the directory path with the absolute path to the upload directory: + +```ApacheConf +<Directory "/path/to/project/server/php/files"> + # To enable the Headers module, execute the following command and reload Apache: + # sudo a2enmod headers + + # The following directives prevent the execution of script files + # in the context of the website. + # They also force the content-type application/octet-stream and + # force browsers to display a download dialog for non-image files. + SetHandler default-handler + ForceType application/octet-stream + Header set Content-Disposition attachment + + # The following unsets the forced type and Content-Disposition headers + # for known image files: + <FilesMatch "(?i)\.(gif|jpe?g|png)$"> + ForceType none + Header unset Content-Disposition + </FilesMatch> + + # The following directive prevents browsers from MIME-sniffing the content-type. + # This is an important complement to the ForceType directive above: + Header set X-Content-Type-Options nosniff +</Directory> +``` + +### NGINX config +Add the following directive to the NGINX config, replacing the directory path with the absolute path to the upload directory: + +```Nginx +location ^~ /path/to/project/server/php/files { + root html; + default_type application/octet-stream; + types { + image/gif gif; + image/jpeg jpg; + image/png png; + } + add_header X-Content-Type-Options 'nosniff'; + if ($request_filename ~ /(((?!\.(jpg)|(png)|(gif)$)[^/])+$)) { + add_header Content-Disposition 'attachment; filename="$1"'; + # Add X-Content-Type-Options again, as using add_header in a new context + # dismisses all previous add_header calls: + add_header X-Content-Type-Options 'nosniff'; + } +} +``` + +## Secure image processing configurations +The following configuration mitigates [potential image processing vulnerabilities with ImageMagick](VULNERABILITIES.md#potential-vulnerabilities-with-php+imagemagick) by limiting the attack vectors to a small subset of image types (`GIF/JPEG/PNG`). + +Please also consider using alternative, safer image processing libraries like [libvips](https://github.com/libvips/libvips) or [imageflow](https://github.com/imazen/imageflow). + +## ImageMagick config +It is recommended to disable all non-required ImageMagick coders via [policy.xml](https://wiki.debian.org/imagemagick/security). +To do so, locate the ImageMagick `policy.xml` configuration file and add the following policies: + +```xml +<?xml version="1.0" encoding="UTF-8"?> +<!-- ... --> +<policymap> + <!-- ... --> + <policy domain="delegate" rights="none" pattern="*" /> + <policy domain="coder" rights="none" pattern="*" /> + <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG}" /> +</policymap> +``` diff --git a/vendor/blueimp/jquery-file-upload/VULNERABILITIES.md b/vendor/blueimp/jquery-file-upload/VULNERABILITIES.md new file mode 100644 index 000000000..1561a1401 --- /dev/null +++ b/vendor/blueimp/jquery-file-upload/VULNERABILITIES.md @@ -0,0 +1,65 @@ +# ⚠️ List of fixed vulnerabilities + +## Potential vulnerabilities with PHP+ImageMagick +> Mitigated: 2018-10-25 (GMT) + +The sample [PHP upload handler](server/php/UploadHandler.php) before [v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1) did not validate file signatures before invoking [ImageMagick](https://www.imagemagick.org/) (via [Imagick](http://php.net/manual/en/book.imagick.php)). +Verifying those [magic bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) mitigates potential vulnerabilities when handling input files other than `GIF/JPEG/PNG`. + +Please also configure ImageMagick to only enable the coders required for `GIF/JPEG/PNG` processing, e.g. with the sample [ImageMagick config](SECURITY.md#imagemagick-config). + +**Further information:** +* Commit containing the mitigation: [fe44d34](https://github.com/blueimp/jQuery-File-Upload/commit/fe44d34be43be32c6b8d507932f318dababb25dd) +* [ImageTragick](https://imagetragick.com/) +* [CERT Vulnerability Note VU#332928](https://www.kb.cert.org/vuls/id/332928) +* [ImageMagick CVE entries](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=imagemagick) + +## Remote code execution vulnerability in the PHP component +> Fixed: 2018-10-23 (GMT) + +The sample [PHP upload handler](server/php/UploadHandler.php) before [v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1) allowed to upload all file types by default. +This opens up a remote code execution vulnerability, unless the server is configured to not execute (PHP) files in the upload directory (`server/php/files`). + +The provided [.htaccess](server/php/files/.htaccess) file includes instructions for Apache to disable script execution, however [.htaccess support](https://httpd.apache.org/docs/current/howto/htaccess.html) is disabled by default since Apache `v2.3.9` via [AllowOverride Directive](https://httpd.apache.org/docs/current/mod/core.html#allowoverride). + +**You are affected if you:** +1. A) Uploaded jQuery File Upload < `v9.24.1` on a Webserver that executes files with `.php` as part of the file extension (e.g. "example.php.png"), e.g. Apache with `mod_php` enabled and the following directive (*not a recommended configuration*): + ```ApacheConf + AddHandler php5-script .php + ``` + B) Uploaded jQuery File Upload < `v9.22.1` on a Webserver that executes files with the file extension `.php`, e.g. Apache with `mod_php` enabled and the following directive: + ```ApacheConf + <FilesMatch \.php$> + SetHandler application/x-httpd-php + </FilesMatch> + ``` +2. Did not actively configure your Webserver to not execute files in the upload directory (`server/php/files`). +3. Are running Apache `v2.3.9+` with the default `AllowOverride` Directive set to `None` or another Webserver with no `.htaccess` support. + +**How to fix it:** +1. Upgrade to the latest version of jQuery File Upload. +2. Configure your Webserver to not execute files in the upload directory, e.g. with the [sample Apache configuration](SECURITY.md#apache-config) + +**Further information:** +* Commits containing the security fix: [aeb47e5](https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f), [ad4aefd](https://github.com/blueimp/jQuery-File-Upload/commit/ad4aefd96e4056deab6fea2690f0d8cf56bb2d7d) +* [Full disclosure post on Hacker News](https://news.ycombinator.com/item?id=18267309). +* [CVE-2018-9206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9206) +* [OWASP - Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) + +## Open redirect vulnerability in the GAE components +> Fixed: 2015-06-12 (GMT) + +The sample Google App Engine upload handlers before v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1) accepted any URL as redirect target, making it possible to use the Webserver's domain for phishing attacks. + +**Further information:** +* Commit containing the security fix: [f74d2a8](https://github.com/blueimp/jQuery-File-Upload/commit/f74d2a8c3e3b1e8e336678d2899facd5bcdb589f) +* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet) + +## Cross-site scripting vulnerability in the Iframe Transport +> Fixed: 2012-08-09 (GMT) + +The [redirect page](cors/result.html) for the [Iframe Transport](js/jquery.iframe-transport.js) before commit [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a) (*fixed in all tagged releases*) allowed executing arbitrary JavaScript in the context of the Webserver. + +**Further information:** +* Commit containing the security fix: [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a) +* [OWASP - Cross-site Scripting (XSS)](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)) diff --git a/library/blueimp_upload/angularjs.html b/vendor/blueimp/jquery-file-upload/angularjs.html index 2051bbf79..2051bbf79 100644 --- a/library/blueimp_upload/angularjs.html +++ b/vendor/blueimp/jquery-file-upload/angularjs.html diff --git a/library/blueimp_upload/basic-plus.html b/vendor/blueimp/jquery-file-upload/basic-plus.html index acee24843..acee24843 100644 --- a/library/blueimp_upload/basic-plus.html +++ b/vendor/blueimp/jquery-file-upload/basic-plus.html diff --git a/library/blueimp_upload/basic.html b/vendor/blueimp/jquery-file-upload/basic.html index 232a24624..232a24624 100644 --- a/library/blueimp_upload/basic.html +++ b/vendor/blueimp/jquery-file-upload/basic.html diff --git a/library/blueimp_upload/bower-version-update.js b/vendor/blueimp/jquery-file-upload/bower-version-update.js index 09ce3927e..09ce3927e 100755 --- a/library/blueimp_upload/bower-version-update.js +++ b/vendor/blueimp/jquery-file-upload/bower-version-update.js diff --git a/library/blueimp_upload/bower.json b/vendor/blueimp/jquery-file-upload/bower.json index 4f4cd8adb..34594a32f 100644 --- a/library/blueimp_upload/bower.json +++ b/vendor/blueimp/jquery-file-upload/bower.json @@ -1,6 +1,6 @@ { "name": "blueimp-file-upload", - "version": "9.23.0", + "version": "9.25.1", "title": "jQuery File Upload", "description": "File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images.", "keywords": [ diff --git a/vendor/blueimp/jquery-file-upload/composer.json b/vendor/blueimp/jquery-file-upload/composer.json new file mode 100644 index 000000000..d17f4ff9e --- /dev/null +++ b/vendor/blueimp/jquery-file-upload/composer.json @@ -0,0 +1,39 @@ +{ + "name": "blueimp/jquery-file-upload" + , "description": "File Upload widget for jQuery." + , "keywords": ["jquery", + "file", + "upload", + "widget", + "multiple", + "selection", + "drag", + "drop", + "progress", + "preview", + "cross-domain", + "cross-site", + "chunk", + "resume", + "gae", + "go", + "python", + "php", + "bootstrap"] + , "homepage": "https://github.com/blueimp/jQuery-File-Upload" + , "authors": [ + { + "name": "Sebastian Tschan", + "homepage": "https://blueimp.net" + } + ] + , "support": { + "forum": "https://groups.google.com/forum/#!forum/jquery-fileupload" + } + , "license": "MIT" + , "autoload": { + "classmap": [ + "server/php/UploadHandler.php" + ] + } +} diff --git a/library/blueimp_upload/cors/postmessage.html b/vendor/blueimp/jquery-file-upload/cors/postmessage.html index 6a56cf0b6..6a56cf0b6 100644 --- a/library/blueimp_upload/cors/postmessage.html +++ b/vendor/blueimp/jquery-file-upload/cors/postmessage.html diff --git a/library/blueimp_upload/cors/result.html b/vendor/blueimp/jquery-file-upload/cors/result.html index e3d629814..e3d629814 100644 --- a/library/blueimp_upload/cors/result.html +++ b/vendor/blueimp/jquery-file-upload/cors/result.html diff --git a/library/blueimp_upload/css/jquery-ui-demo-ie8.css b/vendor/blueimp/jquery-file-upload/css/jquery-ui-demo-ie8.css index e0e8ea9b0..e0e8ea9b0 100644 --- a/library/blueimp_upload/css/jquery-ui-demo-ie8.css +++ b/vendor/blueimp/jquery-file-upload/css/jquery-ui-demo-ie8.css diff --git a/library/blueimp_upload/css/jquery-ui-demo.css b/vendor/blueimp/jquery-file-upload/css/jquery-ui-demo.css index d7d524df5..d7d524df5 100644 --- a/library/blueimp_upload/css/jquery-ui-demo.css +++ b/vendor/blueimp/jquery-file-upload/css/jquery-ui-demo.css diff --git a/library/blueimp_upload/css/jquery.fileupload-noscript.css b/vendor/blueimp/jquery-file-upload/css/jquery.fileupload-noscript.css index 2409bfb0a..2409bfb0a 100644 --- a/library/blueimp_upload/css/jquery.fileupload-noscript.css +++ b/vendor/blueimp/jquery-file-upload/css/jquery.fileupload-noscript.css diff --git a/library/blueimp_upload/css/jquery.fileupload-ui-noscript.css b/vendor/blueimp/jquery-file-upload/css/jquery.fileupload-ui-noscript.css index 30651acf0..30651acf0 100644 --- a/library/blueimp_upload/css/jquery.fileupload-ui-noscript.css +++ b/vendor/blueimp/jquery-file-upload/css/jquery.fileupload-ui-noscript.css diff --git a/library/blueimp_upload/css/jquery.fileupload-ui.css b/vendor/blueimp/jquery-file-upload/css/jquery.fileupload-ui.css index 9e36c42c5..9e36c42c5 100644 --- a/library/blueimp_upload/css/jquery.fileupload-ui.css +++ b/vendor/blueimp/jquery-file-upload/css/jquery.fileupload-ui.css diff --git a/library/blueimp_upload/css/jquery.fileupload.css b/vendor/blueimp/jquery-file-upload/css/jquery.fileupload.css index 8ae3b09d4..8ae3b09d4 100644 --- a/library/blueimp_upload/css/jquery.fileupload.css +++ b/vendor/blueimp/jquery-file-upload/css/jquery.fileupload.css diff --git a/library/blueimp_upload/css/style.css b/vendor/blueimp/jquery-file-upload/css/style.css index 3aee25689..3aee25689 100644 --- a/library/blueimp_upload/css/style.css +++ b/vendor/blueimp/jquery-file-upload/css/style.css diff --git a/library/blueimp_upload/img/loading.gif b/vendor/blueimp/jquery-file-upload/img/loading.gif Binary files differindex 90f28cbdb..90f28cbdb 100644 --- a/library/blueimp_upload/img/loading.gif +++ b/vendor/blueimp/jquery-file-upload/img/loading.gif diff --git a/library/blueimp_upload/img/progressbar.gif b/vendor/blueimp/jquery-file-upload/img/progressbar.gif Binary files differindex fbcce6bc9..fbcce6bc9 100644 --- a/library/blueimp_upload/img/progressbar.gif +++ b/vendor/blueimp/jquery-file-upload/img/progressbar.gif diff --git a/library/blueimp_upload/index.html b/vendor/blueimp/jquery-file-upload/index.html index c8c66ad8b..c8c66ad8b 100644 --- a/library/blueimp_upload/index.html +++ b/vendor/blueimp/jquery-file-upload/index.html diff --git a/library/blueimp_upload/jquery-ui.html b/vendor/blueimp/jquery-file-upload/jquery-ui.html index 842dd4ca7..842dd4ca7 100644 --- a/library/blueimp_upload/jquery-ui.html +++ b/vendor/blueimp/jquery-file-upload/jquery-ui.html diff --git a/library/blueimp_upload/js/app.js b/vendor/blueimp/jquery-file-upload/js/app.js index e6b7bce3e..e6b7bce3e 100644 --- a/library/blueimp_upload/js/app.js +++ b/vendor/blueimp/jquery-file-upload/js/app.js diff --git a/library/blueimp_upload/js/cors/jquery.postmessage-transport.js b/vendor/blueimp/jquery-file-upload/js/cors/jquery.postmessage-transport.js index 2a0c38cb6..2a0c38cb6 100644 --- a/library/blueimp_upload/js/cors/jquery.postmessage-transport.js +++ b/vendor/blueimp/jquery-file-upload/js/cors/jquery.postmessage-transport.js diff --git a/library/blueimp_upload/js/cors/jquery.xdr-transport.js b/vendor/blueimp/jquery-file-upload/js/cors/jquery.xdr-transport.js index a4e2699c6..a4e2699c6 100644 --- a/library/blueimp_upload/js/cors/jquery.xdr-transport.js +++ b/vendor/blueimp/jquery-file-upload/js/cors/jquery.xdr-transport.js diff --git a/library/blueimp_upload/js/jquery.fileupload-angular.js b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-angular.js index 185907d36..185907d36 100644 --- a/library/blueimp_upload/js/jquery.fileupload-angular.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-angular.js diff --git a/library/blueimp_upload/js/jquery.fileupload-audio.js b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-audio.js index a25377619..a25377619 100644 --- a/library/blueimp_upload/js/jquery.fileupload-audio.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-audio.js diff --git a/library/blueimp_upload/js/jquery.fileupload-image.js b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-image.js index 65fc6d7b8..65fc6d7b8 100644 --- a/library/blueimp_upload/js/jquery.fileupload-image.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-image.js diff --git a/library/blueimp_upload/js/jquery.fileupload-jquery-ui.js b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-jquery-ui.js index 7b136b379..7b136b379 100644 --- a/library/blueimp_upload/js/jquery.fileupload-jquery-ui.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-jquery-ui.js diff --git a/library/blueimp_upload/js/jquery.fileupload-process.js b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-process.js index 638f0d26b..638f0d26b 100644 --- a/library/blueimp_upload/js/jquery.fileupload-process.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-process.js diff --git a/library/blueimp_upload/js/jquery.fileupload-ui.js b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-ui.js index 5058084b4..5058084b4 100644 --- a/library/blueimp_upload/js/jquery.fileupload-ui.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-ui.js diff --git a/library/blueimp_upload/js/jquery.fileupload-validate.js b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-validate.js index eebeb3733..eebeb3733 100644 --- a/library/blueimp_upload/js/jquery.fileupload-validate.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-validate.js diff --git a/library/blueimp_upload/js/jquery.fileupload-video.js b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-video.js index aedcec2ba..aedcec2ba 100644 --- a/library/blueimp_upload/js/jquery.fileupload-video.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload-video.js diff --git a/library/blueimp_upload/js/jquery.fileupload.js b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload.js index 700f9013c..700f9013c 100644 --- a/library/blueimp_upload/js/jquery.fileupload.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.fileupload.js diff --git a/library/blueimp_upload/js/jquery.iframe-transport.js b/vendor/blueimp/jquery-file-upload/js/jquery.iframe-transport.js index 8d25c4641..8d25c4641 100644 --- a/library/blueimp_upload/js/jquery.iframe-transport.js +++ b/vendor/blueimp/jquery-file-upload/js/jquery.iframe-transport.js diff --git a/library/blueimp_upload/js/main.js b/vendor/blueimp/jquery-file-upload/js/main.js index 0403682e7..0403682e7 100644 --- a/library/blueimp_upload/js/main.js +++ b/vendor/blueimp/jquery-file-upload/js/main.js diff --git a/library/blueimp_upload/js/vendor/jquery.ui.widget.js b/vendor/blueimp/jquery-file-upload/js/vendor/jquery.ui.widget.js index 914b8ffb8..914b8ffb8 100644 --- a/library/blueimp_upload/js/vendor/jquery.ui.widget.js +++ b/vendor/blueimp/jquery-file-upload/js/vendor/jquery.ui.widget.js diff --git a/library/blueimp_upload/package.json b/vendor/blueimp/jquery-file-upload/package.json index 4801d7913..4b33a0362 100644 --- a/library/blueimp_upload/package.json +++ b/vendor/blueimp/jquery-file-upload/package.json @@ -1,6 +1,6 @@ { "name": "blueimp-file-upload", - "version": "9.23.0", + "version": "9.25.1", "title": "jQuery File Upload", "description": "File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.", "keywords": [ diff --git a/library/blueimp_upload/server/gae-go/app.yaml b/vendor/blueimp/jquery-file-upload/server/gae-go/app.yaml index 2d09daa56..b5ac1a2e1 100644 --- a/library/blueimp_upload/server/gae-go/app.yaml +++ b/vendor/blueimp/jquery-file-upload/server/gae-go/app.yaml @@ -1,5 +1,3 @@ -application: jquery-file-upload -version: 2 runtime: go api_version: go1 diff --git a/library/blueimp_upload/server/gae-go/app/main.go b/vendor/blueimp/jquery-file-upload/server/gae-go/main.go index a92d128c0..a92d128c0 100644 --- a/library/blueimp_upload/server/gae-go/app/main.go +++ b/vendor/blueimp/jquery-file-upload/server/gae-go/main.go diff --git a/library/blueimp_upload/server/gae-go/static/robots.txt b/vendor/blueimp/jquery-file-upload/server/gae-go/static/robots.txt index eb0536286..eb0536286 100644 --- a/library/blueimp_upload/server/gae-go/static/robots.txt +++ b/vendor/blueimp/jquery-file-upload/server/gae-go/static/robots.txt diff --git a/library/blueimp_upload/server/gae-python/app.yaml b/vendor/blueimp/jquery-file-upload/server/gae-python/app.yaml index 764449b74..0c49462fa 100644 --- a/library/blueimp_upload/server/gae-python/app.yaml +++ b/vendor/blueimp/jquery-file-upload/server/gae-python/app.yaml @@ -1,5 +1,3 @@ -application: jquery-file-upload -version: 1 runtime: python27 api_version: 1 threadsafe: true diff --git a/library/blueimp_upload/server/gae-python/main.py b/vendor/blueimp/jquery-file-upload/server/gae-python/main.py index 1955ac00a..1955ac00a 100644 --- a/library/blueimp_upload/server/gae-python/main.py +++ b/vendor/blueimp/jquery-file-upload/server/gae-python/main.py diff --git a/library/blueimp_upload/server/gae-python/static/robots.txt b/vendor/blueimp/jquery-file-upload/server/gae-python/static/robots.txt index eb0536286..eb0536286 100644 --- a/library/blueimp_upload/server/gae-python/static/robots.txt +++ b/vendor/blueimp/jquery-file-upload/server/gae-python/static/robots.txt diff --git a/library/blueimp_upload/server/php/Dockerfile b/vendor/blueimp/jquery-file-upload/server/php/Dockerfile index 8633fee74..8633fee74 100644 --- a/library/blueimp_upload/server/php/Dockerfile +++ b/vendor/blueimp/jquery-file-upload/server/php/Dockerfile diff --git a/library/blueimp_upload/server/php/UploadHandler.php b/vendor/blueimp/jquery-file-upload/server/php/UploadHandler.php index 285d046aa..e44004395 100755 --- a/library/blueimp_upload/server/php/UploadHandler.php +++ b/vendor/blueimp/jquery-file-upload/server/php/UploadHandler.php @@ -38,6 +38,10 @@ class UploadHandler 'image_resize' => 'Failed to resize image' ); + protected const IMAGETYPE_GIF = 1; + protected const IMAGETYPE_JPEG = 2; + protected const IMAGETYPE_PNG = 3; + protected $image_objects = array(); public function __construct($options = null, $initialize = true, $error_messages = null) { @@ -89,17 +93,32 @@ class UploadHandler 'readfile_chunk_size' => 10 * 1024 * 1024, // 10 MiB // Defines which files can be displayed inline when downloaded: 'inline_file_types' => '/\.(gif|jpe?g|png)$/i', - // Defines which files (based on their names) are accepted for upload: - 'accept_file_types' => '/.+$/i', + // Defines which files (based on their names) are accepted for upload. + // By default, only allows file uploads with image file extensions. + // Only change this setting after making sure that any allowed file + // types cannot be executed by the webserver in the files directory, + // e.g. PHP scripts, nor executed by the browser when downloaded, + // e.g. HTML files with embedded JavaScript code. + // Please also read the SECURITY.md document in this repository. + 'accept_file_types' => '/\.(gif|jpe?g|png)$/i', + // Replaces dots in filenames with the given string. + // Can be disabled by setting it to false or an empty string. + // Note that this is a security feature for servers that support + // multiple file extensions, e.g. the Apache AddHandler Directive: + // https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler + // Before disabling it, make sure that files uploaded with multiple + // extensions cannot be executed by the webserver, e.g. + // "example.php.png" with embedded PHP code, nor executed by the + // browser when downloaded, e.g. "example.html.gif" with embedded + // JavaScript code. + 'replace_dots_in_filenames' => '-', // The php.ini settings upload_max_filesize and post_max_size // take precedence over the following max_file_size setting: 'max_file_size' => null, 'min_file_size' => 1, // The maximum number of files for the upload directory: 'max_number_of_files' => null, - // Defines which files are handled as image files: - 'image_file_types' => '/\.(gif|jpe?g|png)$/i', - // Use exif_imagetype on all files to correct file extensions: + // Reads first file bytes to identify and correct file extensions: 'correct_image_extensions' => false, // Image resolution restrictions: 'max_width' => null, @@ -146,7 +165,7 @@ class UploadHandler 'max_width' => 800, 'max_height' => 600 ), - */ + */ 'thumbnail' => array( // Uncomment the following to use a defined directory for the thumbnails // instead of a subdirectory based on the version identifier. @@ -416,9 +435,8 @@ class UploadHandler $min_width = @$this->options['min_width']; $min_height = @$this->options['min_height']; if (($max_width || $max_height || $min_width || $min_height) - && preg_match($this->options['image_file_types'], $file->name)) { + && $this->is_valid_image_file($uploaded_file)) { list($img_width, $img_height) = $this->get_image_size($uploaded_file); - // If we are auto rotating the image by default, do the checks on // the correct orientation if ( @@ -432,7 +450,6 @@ class UploadHandler $img_height = $tmp; unset($tmp); } - } if (!empty($img_width)) { if ($max_width && $img_width > $max_width) { @@ -494,16 +511,15 @@ class UploadHandler preg_match('/^image\/(gif|jpe?g|png)/', $type, $matches)) { $name .= '.'.$matches[1]; } - if ($this->options['correct_image_extensions'] && - function_exists('exif_imagetype')) { - switch (@exif_imagetype($file_path)){ - case IMAGETYPE_JPEG: + if ($this->options['correct_image_extensions']) { + switch ($this->imagetype($file_path)) { + case self::IMAGETYPE_JPEG: $extensions = array('jpg', 'jpeg'); break; - case IMAGETYPE_PNG: + case self::IMAGETYPE_PNG: $extensions = array('png'); break; - case IMAGETYPE_GIF: + case self::IMAGETYPE_GIF: $extensions = array('gif'); break; } @@ -527,6 +543,16 @@ class UploadHandler // into different directories or replacing hidden system files. // Also remove control characters and spaces (\x00..\x20) around the filename: $name = trim($this->basename(stripslashes($name)), ".\x00..\x20"); + // Replace dots in filenames to avoid security issues with servers + // that interpret multiple file extensions, e.g. "example.php.png": + $replacement = $this->options['replace_dots_in_filenames']; + if (!empty($replacement)) { + $parts = explode('.', $name); + if (count($parts) > 2) { + $ext = array_pop($parts); + $name = implode($replacement, $parts).'.'.$ext; + } + } // Use a timestamp for empty filenames: if (!$name) { $name = str_replace('.', '-', microtime(true)); @@ -1036,15 +1062,27 @@ class UploadHandler } } - protected function is_valid_image_file($file_path) { - if (!preg_match($this->options['image_file_types'], $file_path)) { - return false; + protected function imagetype($file_path) { + $fp = fopen($file_path, 'r'); + $data = fread($fp, 4); + fclose($fp); + // GIF: 47 49 46 + if (substr($data, 0, 3) === 'GIF') { + return self::IMAGETYPE_GIF; + } + // JPG: FF D8 + if (bin2hex(substr($data, 0, 2)) === 'ffd8') { + return self::IMAGETYPE_JPEG; } - if (function_exists('exif_imagetype')) { - return @exif_imagetype($file_path); + // PNG: 89 50 4E 47 + if (bin2hex(@$data[0]).substr($data, 1, 4) === '89PNG') { + return self::IMAGETYPE_PNG; } - $image_info = $this->get_image_size($file_path); - return $image_info && $image_info[0] && $image_info[1]; + return false; + } + + protected function is_valid_image_file($file_path) { + return !!$this->imagetype($file_path); } protected function handle_image_file($file_path, $file) { diff --git a/library/blueimp_upload/server/php/docker-compose.yml b/vendor/blueimp/jquery-file-upload/server/php/docker-compose.yml index 74eabf7dc..74eabf7dc 100644 --- a/library/blueimp_upload/server/php/docker-compose.yml +++ b/vendor/blueimp/jquery-file-upload/server/php/docker-compose.yml diff --git a/library/blueimp_upload/server/php/files/.gitignore b/vendor/blueimp/jquery-file-upload/server/php/files/.gitignore index e24a60fae..e24a60fae 100644 --- a/library/blueimp_upload/server/php/files/.gitignore +++ b/vendor/blueimp/jquery-file-upload/server/php/files/.gitignore diff --git a/library/blueimp_upload/server/php/files/.htaccess b/vendor/blueimp/jquery-file-upload/server/php/files/.htaccess index 6f454afb9..6f454afb9 100644 --- a/library/blueimp_upload/server/php/files/.htaccess +++ b/vendor/blueimp/jquery-file-upload/server/php/files/.htaccess diff --git a/vendor/blueimp/jquery-file-upload/server/php/index.php b/vendor/blueimp/jquery-file-upload/server/php/index.php new file mode 100644 index 000000000..9c2cfb8eb --- /dev/null +++ b/vendor/blueimp/jquery-file-upload/server/php/index.php @@ -0,0 +1,15 @@ +<?php +/* + * jQuery File Upload Plugin PHP Example + * https://github.com/blueimp/jQuery-File-Upload + * + * Copyright 2010, Sebastian Tschan + * https://blueimp.net + * + * Licensed under the MIT license: + * https://opensource.org/licenses/MIT + */ +exit; +error_reporting(E_ALL | E_STRICT); +require('UploadHandler.php'); +$upload_handler = new UploadHandler(); diff --git a/library/blueimp_upload/test/index.html b/vendor/blueimp/jquery-file-upload/test/index.html index 0b5cf57b7..0b5cf57b7 100644 --- a/library/blueimp_upload/test/index.html +++ b/vendor/blueimp/jquery-file-upload/test/index.html diff --git a/library/blueimp_upload/test/test.js b/vendor/blueimp/jquery-file-upload/test/test.js index 452127567..452127567 100644 --- a/library/blueimp_upload/test/test.js +++ b/vendor/blueimp/jquery-file-upload/test/test.js diff --git a/vendor/composer/LICENSE b/vendor/composer/LICENSE index f27399a04..f0157a6ed 100644 --- a/vendor/composer/LICENSE +++ b/vendor/composer/LICENSE @@ -1,21 +1,56 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: Composer +Upstream-Contact: Jordi Boggiano <j.boggiano@seld.be> +Source: https://github.com/composer/composer -Copyright (c) Nils Adermann, Jordi Boggiano +Files: * +Copyright: 2016, Nils Adermann <naderman@naderman.de> + 2016, Jordi Boggiano <j.boggiano@seld.be> +License: Expat -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is furnished -to do so, subject to the following conditions: +Files: src/Composer/Util/TlsHelper.php +Copyright: 2016, Nils Adermann <naderman@naderman.de> + 2016, Jordi Boggiano <j.boggiano@seld.be> + 2013, Evan Coury <me@evancoury.com> +License: Expat and BSD-2-Clause -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. +License: BSD-2-Clause + Redistribution and use in source and binary forms, with or without modification, + are permitted provided that the following conditions are met: + . + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is furnished + to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. diff --git a/vendor/composer/autoload_classmap.php b/vendor/composer/autoload_classmap.php index 065aceee8..f3c814e02 100644 --- a/vendor/composer/autoload_classmap.php +++ b/vendor/composer/autoload_classmap.php @@ -805,6 +805,7 @@ return array( 'Text_LanguageDetect_Exception' => $vendorDir . '/pear/text_languagedetect/Text/LanguageDetect/Exception.php', 'Text_LanguageDetect_ISO639' => $vendorDir . '/pear/text_languagedetect/Text/LanguageDetect/ISO639.php', 'Text_LanguageDetect_Parser' => $vendorDir . '/pear/text_languagedetect/Text/LanguageDetect/Parser.php', + 'UploadHandler' => $vendorDir . '/blueimp/jquery-file-upload/server/php/UploadHandler.php', 'Zotlabs\\Access\\AccessList' => $baseDir . '/Zotlabs/Access/AccessList.php', 'Zotlabs\\Access\\PermissionLimits' => $baseDir . '/Zotlabs/Access/PermissionLimits.php', 'Zotlabs\\Access\\PermissionRoles' => $baseDir . '/Zotlabs/Access/PermissionRoles.php', diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php index 4b8c414e0..d55227eb1 100644 --- a/vendor/composer/autoload_static.php +++ b/vendor/composer/autoload_static.php @@ -973,6 +973,7 @@ class ComposerStaticInit7b34d7e50a62201ec5d5e526a5b8b35d 'Text_LanguageDetect_Exception' => __DIR__ . '/..' . '/pear/text_languagedetect/Text/LanguageDetect/Exception.php', 'Text_LanguageDetect_ISO639' => __DIR__ . '/..' . '/pear/text_languagedetect/Text/LanguageDetect/ISO639.php', 'Text_LanguageDetect_Parser' => __DIR__ . '/..' . '/pear/text_languagedetect/Text/LanguageDetect/Parser.php', + 'UploadHandler' => __DIR__ . '/..' . '/blueimp/jquery-file-upload/server/php/UploadHandler.php', 'Zotlabs\\Access\\AccessList' => __DIR__ . '/../..' . '/Zotlabs/Access/AccessList.php', 'Zotlabs\\Access\\PermissionLimits' => __DIR__ . '/../..' . '/Zotlabs/Access/PermissionLimits.php', 'Zotlabs\\Access\\PermissionRoles' => __DIR__ . '/../..' . '/Zotlabs/Access/PermissionRoles.php', diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index b51c4160f..af845828e 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -1,5 +1,62 @@ [ { + "name": "blueimp/jquery-file-upload", + "version": "v9.25.1", + "version_normalized": "9.25.1.0", + "source": { + "type": "git", + "url": "https://github.com/vkhramtsov/jQuery-File-Upload.git", + "reference": "28891f9b2bc339bcc1ca8d548e5401e8563bf04b" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/vkhramtsov/jQuery-File-Upload/zipball/28891f9b2bc339bcc1ca8d548e5401e8563bf04b", + "reference": "28891f9b2bc339bcc1ca8d548e5401e8563bf04b", + "shasum": "" + }, + "time": "2018-10-26T07:21:48+00:00", + "type": "library", + "installation-source": "dist", + "autoload": { + "classmap": [ + "server/php/UploadHandler.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Sebastian Tschan", + "homepage": "https://blueimp.net" + } + ], + "description": "File Upload widget for jQuery.", + "homepage": "https://github.com/blueimp/jQuery-File-Upload", + "keywords": [ + "bootstrap", + "chunk", + "cross-domain", + "cross-site", + "drag", + "drop", + "file", + "gae", + "go", + "jquery", + "multiple", + "php", + "preview", + "progress", + "python", + "resume", + "selection", + "upload", + "widget" + ] + }, + { "name": "bshaffer/oauth2-server-php", "version": "v1.10.0", "version_normalized": "1.10.0.0", diff --git a/view/tpl/cloud.tpl b/view/tpl/cloud.tpl index e7237c7e6..9df95c8cc 100644 --- a/view/tpl/cloud.tpl +++ b/view/tpl/cloud.tpl @@ -1,6 +1,6 @@ -<script src="library/blueimp_upload/js/vendor/jquery.ui.widget.js"></script> -<script src="library/blueimp_upload/js/jquery.iframe-transport.js"></script> -<script src="library/blueimp_upload/js/jquery.fileupload.js"></script> +<script src="vendor/blueimp/jquery-file-upload/js/vendor/jquery.ui.widget.js"></script> +<script src="vendor/blueimp/jquery-file-upload/js/jquery.iframe-transport.js"></script> +<script src="vendor/blueimp/jquery-file-upload/js/jquery.fileupload.js"></script> <div class="generic-content-wrapper"> {{include file="cloud_header.tpl"}} diff --git a/view/tpl/jot-header.tpl b/view/tpl/jot-header.tpl index be09fbebf..2670ba9e7 100755 --- a/view/tpl/jot-header.tpl +++ b/view/tpl/jot-header.tpl @@ -42,9 +42,9 @@ function enableOnUser(){ } </script> -<script src="library/blueimp_upload/js/vendor/jquery.ui.widget.js"></script> -<script src="library/blueimp_upload/js/jquery.iframe-transport.js"></script> -<script src="library/blueimp_upload/js/jquery.fileupload.js"></script> +<script src="vendor/blueimp/jquery-file-upload/js/vendor/jquery.ui.widget.js"></script> +<script src="vendor/blueimp/jquery-file-upload/js/jquery.iframe-transport.js"></script> +<script src="vendor/blueimp/jquery-file-upload/js/jquery.fileupload.js"></script> <script> var activeCommentID = 0; diff --git a/view/tpl/msg-header.tpl b/view/tpl/msg-header.tpl index b6856f139..e8542b087 100755 --- a/view/tpl/msg-header.tpl +++ b/view/tpl/msg-header.tpl @@ -1,6 +1,6 @@ -<script src="library/blueimp_upload/js/vendor/jquery.ui.widget.js"></script> -<script src="library/blueimp_upload/js/jquery.iframe-transport.js"></script> -<script src="library/blueimp_upload/js/jquery.fileupload.js"></script> +<script src="vendor/blueimp/jquery-file-upload/js/vendor/jquery.ui.widget.js"></script> +<script src="vendor/blueimp/jquery-file-upload/js/jquery.iframe-transport.js"></script> +<script src="vendor/blueimp/jquery-file-upload/js/jquery.fileupload.js"></script> <script> $(document).ready(function() { |