Security fixes

5 years ago · a95c440837
parent 2f5c17cc0c
commit a95c440837
2 changed files with 36 additions and 16 deletions
--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@ -2260,6 +2260,14 @@ class UserManager
            $filename = $user_id.'_'.$filename;
        }

+        if (!file_exists($source_file)) {
+            return false;
+        }
+
+        $mimeContentType = mime_content_type($source_file);
+        if (false === strpos($mimeContentType, 'image')) {
+            return false;
+        }
        //Crop the image to adjust 1:1 ratio
        $image = new Image($source_file);
        $image->crop($cropParameters);
--- a/main/webservices/registration.soap.php
+++ b/main/webservices/registration.soap.php
@ -2078,6 +2078,13 @@ $server->register(
 // Define the method WSEditUserWithPicture
 function WSEditUserWithPicture($params)
 {
+    if (ini_get('allow_url_fopen')) {
+        return new soap_fault(
+            'Server',
+            '',
+            'WSEditUserWithPicture is disabled because allow_url_fopen is enabled in the server.'
+        );
+    }
    if (!WSHelperVerifyKey($params)) {
        return returnError(WS_ERROR_SECRET_KEY);
    }
@ -2118,25 +2125,16 @@ function WSEditUserWithPicture($params)
        $original_user_id_name
    );

-    // Get picture and generate uri.
-    $filename = basename($picture_url);
-    $tempDir = api_get_path(SYS_ARCHIVE_PATH);
-    // Make sure the file download was OK by checking the HTTP headers for OK
-    if (strpos(get_headers($picture_url)[0], "OK")) {
-        file_put_contents($tempDir.$filename, file_get_contents($picture_url));
-        $pictureUri = UserManager::update_user_picture($user_id, $filename, $tempDir.$filename);
+    if (empty($user_id)) {
+        return 0;
    }

-    if ($user_id == 0) {
-        return 0;
-    } else {
    $sql = "SELECT id FROM $table_user WHERE id =$user_id AND active= 0";
    $resu = Database::query($sql);
    $r_check_user = Database::fetch_row($resu);
    if (!empty($r_check_user[0])) {
        return 0;
    }
-    }

    // Check whether username already exits.
    $sql = "SELECT username FROM $table_user 
@ -2148,6 +2146,19 @@ function WSEditUserWithPicture($params)
        return 0;
    }

+    // Get picture and generate uri.
+    $filename = basename($picture_url);
+    $tempDir = api_get_path(SYS_ARCHIVE_PATH);
+    // Make sure the file download was OK by checking the HTTP headers for OK
+    if (strpos(get_headers($picture_url)[0], "OK")) {
+        $tempFile = $tempDir.uniqid('user_image', true);
+        file_put_contents($tempFile, file_get_contents($picture_url));
+        $pictureUri = UserManager::update_user_picture($user_id, $filename, $tempFile);
+        if (file_exists($tempFile)) {
+            unlink($tempFile);
+        }
+    }
+
    /** @var User $user */
    $user = $userRepository->find($user_id);

@ -2190,7 +2201,8 @@ function WSEditUserWithPicture($params)
        ->setExpirationDate($expiration_date)
        ->setHrDeptId($hr_dept_id)
        ->setActive(true)
-        ->setPictureUri($pictureUri);
+        ->setPictureUri($pictureUri)
+    ;

    if (!is_null($creator_id)) {
        $user->setCreatorId($creator_id);