Fix command injection via crafted im_convert_path/im_identify_path on…

… Windows Reported by Huy Nguyễn Phạm Nhật.
roundcube · May 19, 2024 · 5ea9f37 · 5ea9f37
1 parent b949398
commit 5ea9f37
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Fix bug in collapsing/expanding folders with some special characters in names (#9324)
 - Fix PHP8 warnings (#9363, #9365, #9429)
 - Fix missing field labels in CSV import, for some locales (#9393)
+- Fix command injection via crafted im_convert_path/im_identify_path on Windows
 
 ## Release 1.6.6
 

diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php
@@ -489,18 +489,20 @@ private static function getCommand($opt_name)
     {
         static $error = [];
 
-        $cmd = rcube::get_instance()->config->get($opt_name);
+        $cmd = (string) rcube::get_instance()->config->get($opt_name);
 
         if (empty($cmd)) {
             return false;
         }
 
+        $cmd = trim($cmd);
+
         if (preg_match('/^(convert|identify)(\.exe)?$/i', $cmd)) {
             return $cmd;
         }
 
         // Executable must exist, also disallow network shares on Windows
-        if ($cmd[0] != "\\" && file_exists($cmd)) {
+        if ($cmd[0] !== '\\' && strpos($cmd, '//') !== 0 && file_exists($cmd)) {
             return $cmd;
         }