Task #3055 - Implementing the method Security::filter_img_path().

15 years ago · 43c9aaf9d4
parent b04f6241cf
commit 43c9aaf9d4
2 changed files with 44 additions and 18 deletions
--- a/main/inc/lib/display.lib.php
+++ b/main/inc/lib/display.lib.php
@ -661,24 +661,7 @@ class Display {
    public static function img($image_path, $alt_text = '', $additional_attributes = array()) {

        // Sanitizing the parameter $image_path
-        $image_path = htmlspecialchars(trim($image_path)); // No html code is allowed.
-        if (strpos($image_path, '?') !== false) {
-            // We allow static images only, query strings are forbidden here.
-            $image_path = '';
-        }
-        if (($pos = strpos($image_path, ':')) !== false) {
-            // Protocol has been specified, let's check it.
-            if (strpos($image_path, ':', $pos + 1) === false) {
-                $protocol = substr($image_path, 0, $pos + 3);
-                if (strcasecmp($protocol, 'http://') != 0 && strcasecmp($protocol, 'https://') != 0) {
-                    // Allowed protocols: http:// , https://
-                    $image_path = '';
-                }
-            } else {
-                // Protocol should be specified only once.
-                $image_path = '';
-            }
-        }
+        $image_path = Security::filter_img_path($image_path);

        $attribute_list = '';
        // alt text = the image name if there is none provided (for XHTML compliance)
--- a/main/inc/lib/security.lib.php
+++ b/main/inc/lib/security.lib.php
@ -303,4 +303,47 @@ class Security {
            return $purifier[$user_status]->purify($var);
        }
    }
+
+    /**
+     * This method provides specific protection (against XSS and other kinds of attacks) for static images (icons) used by the system.
+     * Image paths are supposed to be given by programmers - people who know what they do, anyway, this method encourages
+     * a safe practice for generating icon paths, without using heavy solutions based on HTMLPurifier for example.
+     * @param string $img_path          The input path of the image, it could be relative or absolute URL.
+     * @return string                   Returns sanitized image path or an empty string when the image path is not secure.
+     * @author Ivan Tcholakov, March 2011
+     */
+    public static function filter_img_path($image_path) {
+        static $allowed_extensions = array('png', 'gif', 'jpg', 'jpeg');
+        $image_path = htmlspecialchars(trim($image_path)); // No html code is allowed.
+        // We allow static images only, query strings are forbidden.
+        if (strpos($image_path, '?') !== false) {
+            return '';
+        }
+        if (($pos = strpos($image_path, ':')) !== false) {
+            // Protocol has been specified, let's check it.
+            if (stripos($image_path, 'javascript:') !== false) {
+                // Javascript everywhere in the path is not allowed.
+                return '';
+            }
+            // We allow only http: and https: protocols for now.
+            //if (!preg_match('/^https?:\/\//i', $image_path)) {
+            //    return '';
+            //}
+            if (stripos($image_path, 'http://') !== 0 && stripos($image_path, 'https://') !== 0) {
+                return '';
+            }
+        }
+        // We allow file extensions for images only.
+        //if (!preg_match('/.+\.(png|gif|jpg|jpeg)$/i', $image_path)) {
+        //    return '';
+        //}
+        if (($pos = strrpos($image_path, '.')) !== false) {
+            if (!in_array(strtolower(substr($image_path, $pos + 1)), $allowed_extensions)) {
+                return '';
+            }
+        } else {
+            return '';
+        }
+        return $image_path;
+    }
 }