Skip to content

Fix/phpthumb filter user parameters #13979

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 9, 2018
Merged

Fix/phpthumb filter user parameters #13979

merged 4 commits into from
Jul 9, 2018

Conversation

alroniks
Copy link
Collaborator

@alroniks alroniks commented Jul 7, 2018
edited
Loading

What does it do?

It is limit passed parameters into phpThumb class, that incomes from user input.

Why is it needed?

It fixes an important security issue. Let's discuss details personally in Slack.

Related issue(s)/PR(s)

Some part of code related to this 9a80ac5#diff-2
#7632

@alroniks alroniks requested review from Mark-H and opengeek as code owners July 7, 2018 09:05
@alroniks alroniks requested a review from bezumkin July 9, 2018 09:25
@alroniks alroniks merged commit a55c402 into modxcms:2.x Jul 9, 2018
alroniks pushed a commit that referenced this pull request Jul 9, 2018
Filtering user parameters before passing them into phpthumb class #13979
06bc942 


* upstream/pr/13979:
  Added strict mode for in_array
  Returns the missed in the past the considering to phpthumb_imagemagick_path system setting
  Limit parameters incoming from users to only allowed from phpthumb
  Some code cleanup before fix
@alroniks alroniks deleted the fix/phpthumb_filter_user_parameters branch July 9, 2018 11:47
opengeek added a commit that referenced this pull request Jul 11, 2018
@opengeek
Filter user input used in phpthumb
3fc5038 
cherry-picked from #13979
@opengeek opengeek added this to the v2.6.5 milestone Jul 12, 2018
@opengeek opengeek added bug The issue in the code or project, which should be addressed. area-security urgent The issue requires attention and has higher priority over others. labels Jul 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jako Jako Jako approved these changes

@Mark-H Mark-H Mark-H approved these changes

@opengeek opengeek Awaiting requested review from opengeek opengeek is a code owner

@bezumkin bezumkin Awaiting requested review from bezumkin

Assignees
No one assigned
Labels
area-security bug The issue in the code or project, which should be addressed. urgent The issue requires attention and has higher priority over others.
Projects
None yet
Milestone
v2.6.5
Development

Successfully merging this pull request may close these issues.
4 participants
@alroniks @Jako @Mark-H @opengeek