From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/lib/Roundcube/rcube_image.php |   59 +++++++++++++++++++++++++++++++++++++++++------------------
 1 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php
index ad96842..ffcfd4b 100644
--- a/program/lib/Roundcube/rcube_image.php
+++ b/program/lib/Roundcube/rcube_image.php
@@ -77,7 +77,8 @@
     }
 
     /**
-     * Resize image to a given size
+     * Resize image to a given size. Use only to shrink an image.
+     * If an image is smaller than specified size it will be not resized.
      *
      * @param int    $size      Max width/height size
      * @param string $filename  Output filename
@@ -119,28 +120,43 @@
             $p['-opts'] = array('-resize' => $p['size'].'>');
 
             if (in_array($type, explode(',', $p['types']))) { // Valid type?
-                $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace RGB -quality {quality} {-opts} {intype}:{in} {type}:{out}', $p);
+                $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -quality {quality} {-opts} {intype}:{in} {type}:{out}', $p);
             }
 
             if ($result === '') {
+                @chmod($filename, 0600);
                 return $type;
             }
         }
 
         // use GD extension
-        $gd_types = array(IMAGETYPE_JPEG, IMAGETYPE_GIF, IMAGETYPE_PNG);
-        if ($props['gd_type'] && in_array($props['gd_type'], $gd_types)) {
-            if ($props['gd_type'] == IMAGETYPE_JPEG) {
+        if ($props['gd_type']) {
+            if ($props['gd_type'] == IMAGETYPE_JPEG && function_exists('imagecreatefromjpeg')) {
                 $image = imagecreatefromjpeg($this->image_file);
+                $type  = 'jpg';
             }
-            elseif($props['gd_type'] == IMAGETYPE_GIF) {
+            else if($props['gd_type'] == IMAGETYPE_GIF && function_exists('imagecreatefromgif')) {
                 $image = imagecreatefromgif($this->image_file);
+                $type  = 'gid';
             }
-            elseif($props['gd_type'] == IMAGETYPE_PNG) {
+            else if($props['gd_type'] == IMAGETYPE_PNG && function_exists('imagecreatefrompng')) {
                 $image = imagecreatefrompng($this->image_file);
+                $type  = 'png';
+            }
+            else {
+                // @TODO: print error to the log?
+                return false;
             }
 
-            $scale  = $size / max($props['width'], $props['height']);
+            $scale = $size / max($props['width'], $props['height']);
+
+            // Imagemagick resize is implemented in shrinking mode (see -resize argument above)
+            // we do the same here, if an image is smaller than specified size
+            // we do nothing but copy original file to destination file
+            if ($scale > 1) {
+                return $this->image_file == $filename || copy($this->image_file, $filename) ? $type : false;
+            }
+
             $width  = $props['width']  * $scale;
             $height = $props['height'] * $scale;
 
@@ -159,18 +175,16 @@
 
             if ($props['gd_type'] == IMAGETYPE_JPEG) {
                 $result = imagejpeg($image, $filename, 75);
-                $type = 'jpg';
             }
             elseif($props['gd_type'] == IMAGETYPE_GIF) {
                 $result = imagegif($image, $filename);
-                $type = 'gid';
             }
             elseif($props['gd_type'] == IMAGETYPE_PNG) {
                 $result = imagepng($image, $filename, 6, PNG_ALL_FILTERS);
-                $type = 'png';
             }
 
             if ($result) {
+                @chmod($filename, 0600);
                 return $type;
             }
         }
@@ -208,26 +222,30 @@
             $p['out']  = $filename;
             $p['type'] = self::$extensions[$type];
 
-            $result = rcube::exec($convert . ' 2>&1 -colorspace RGB -quality 75 {in} {type}:{out}', $p);
+            $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -quality 75 {in} {type}:{out}', $p);
 
             if ($result === '') {
+                @chmod($filename, 0600);
                 return true;
             }
         }
 
         // use GD extension (TIFF isn't supported)
-        $props    = $this->props();
-        $gd_types = array(IMAGETYPE_JPEG, IMAGETYPE_GIF, IMAGETYPE_PNG);
+        $props = $this->props();
 
-        if ($props['gd_type'] && in_array($props['gd_type'], $gd_types)) {
-            if ($props['gd_type'] == IMAGETYPE_JPEG) {
+        if ($props['gd_type']) {
+            if ($props['gd_type'] == IMAGETYPE_JPEG && function_exists('imagecreatefromjpeg')) {
                 $image = imagecreatefromjpeg($this->image_file);
             }
-            else if ($props['gd_type'] == IMAGETYPE_GIF) {
+            else if ($props['gd_type'] == IMAGETYPE_GIF && function_exists('imagecreatefromgif')) {
                 $image = imagecreatefromgif($this->image_file);
             }
-            else if ($props['gd_type'] == IMAGETYPE_PNG) {
+            else if ($props['gd_type'] == IMAGETYPE_PNG && function_exists('imagecreatefrompng')) {
                 $image = imagecreatefrompng($this->image_file);
+            }
+            else {
+                // @TODO: print error to the log?
+                return false;
             }
 
             if ($type == self::TYPE_JPG) {
@@ -239,6 +257,11 @@
             else if ($type == self::TYPE_PNG) {
                 $result = imagepng($image, $filename, 6, PNG_ALL_FILTERS);
             }
+
+            if ($result) {
+                @chmod($filename, 0600);
+                return true;
+            }
         }
 
         // @TODO: print error to the log?

--
Gitblit v1.9.1