Security fix for Download Images

diff --git a/inc/poche/pochePictures.php b/inc/poche/pochePictures.php
index e4b0b1608843b0ec8d0a81642a44fb8c2e55d161..3202f2ccfd9192aab91acf654b54f75a3da4b6f4 100644 (file)
--- a/inc/poche/pochePictures.php
+++ b/inc/poche/pochePictures.php
@@ -72,9 +72,39 @@ function download_pictures($absolute_path, $fullpath)
     if(file_exists($fullpath)) {
         unlink($fullpath);
     }
-    $fp = fopen($fullpath, 'x');
-    fwrite($fp, $rawdata);
-    fclose($fp);
+    
+    // check extension
+    $file_ext = strrchr($fullpath, '.');
+    $whitelist = array(".jpg",".jpeg",".gif",".png"); 
+    if (!(in_array($file_ext, $whitelist))) {
+        Tools::logm('processed image with not allowed extension. Skipping ' . $fullpath);
+    } else {
+        // check headers
+        $imageinfo = getimagesize($absolute_path);
+        if ($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg'&& $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
+            Tools::logm('processed image with bad header. Skipping ' . $fullpath);
+        } else {
+            // regenerate image
+            $im = imagecreatefromstring($rawdata);
+            if ($im) {
+                switch ($imageinfo['mime']) {
+                    case 'image/gif':
+                        imagegif($im, $fullpath);
+                        break;
+                    case 'image/jpeg':
+                    case 'image/jpg':
+                        imagejpeg($im, $fullpath); // default quality is 75%
+                        break;
+                    case 'image/png':
+                        imagepng($im, $fullpath);
+                        break;
+                }
+                imagedestroy($im);
+            } else {
+             Tools::logm('error while regenerating image ' . $fullpath);
+            }
+        }
+    }
 }
 
 /**