From d8ac6f575ef719e89509d5e26fab608e6b0dfce0 Mon Sep 17 00:00:00 2001 From: Derky Date: Mon, 18 Sep 2023 20:12:41 +0200 Subject: [PATCH 1/3] [ticket/security/279] Escape smilies URL and prevent paths in .pak filename SECURITY-279 --- phpBB/includes/acp/acp_icons.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/includes/acp/acp_icons.php b/phpBB/includes/acp/acp_icons.php index 4758e89a93..642e9cf06e 100644 --- a/phpBB/includes/acp/acp_icons.php +++ b/phpBB/includes/acp/acp_icons.php @@ -550,7 +550,7 @@ class acp_icons trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); } - if (!($pak_ary = @file($phpbb_root_path . $img_path . '/' . $pak))) + if (!($pak_ary = @file($phpbb_root_path . $img_path . '/' . basename($pak)))) { trigger_error($user->lang['PAK_FILE_NOT_READABLE'] . adm_back_link($this->u_action), E_USER_WARNING); } @@ -654,7 +654,7 @@ class acp_icons { $replace_sql = ($mode == 'smilies') ? $code : $img; $sql = array( - $fields . '_url' => $img, + $fields . '_url' => utf8_substr(htmlspecialchars($img, ENT_COMPAT), 0, 50), $fields . '_height' => (int) $height, $fields . '_width' => (int) $width, 'display_on_posting' => (int) $display_on_posting, @@ -676,7 +676,7 @@ class acp_icons ++$order; $sql = array( - $fields . '_url' => $img, + $fields . '_url' => utf8_substr(htmlspecialchars($img, ENT_COMPAT), 0, 50), $fields . '_height' => (int) $height, $fields . '_width' => (int) $width, $fields . '_order' => (int) $order, From c4f42c1573a1c28de8e34cbe6abf587bcbe050c6 Mon Sep 17 00:00:00 2001 From: Derky Date: Thu, 21 Sep 2023 15:41:20 +0200 Subject: [PATCH 2/3] [ticket/security/279] Use rawurlencode for escaping smilie URLs SECURITY-279 --- phpBB/includes/acp/acp_icons.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/acp/acp_icons.php b/phpBB/includes/acp/acp_icons.php index 642e9cf06e..e577762506 100644 --- a/phpBB/includes/acp/acp_icons.php +++ b/phpBB/includes/acp/acp_icons.php @@ -654,7 +654,7 @@ class acp_icons { $replace_sql = ($mode == 'smilies') ? $code : $img; $sql = array( - $fields . '_url' => utf8_substr(htmlspecialchars($img, ENT_COMPAT), 0, 50), + $fields . '_url' => utf8_substr(rawurlencode($img), 0, 50), $fields . '_height' => (int) $height, $fields . '_width' => (int) $width, 'display_on_posting' => (int) $display_on_posting, @@ -676,7 +676,7 @@ class acp_icons ++$order; $sql = array( - $fields . '_url' => utf8_substr(htmlspecialchars($img, ENT_COMPAT), 0, 50), + $fields . '_url' => utf8_substr(rawurlencode($img), 0, 50), $fields . '_height' => (int) $height, $fields . '_width' => (int) $width, $fields . '_order' => (int) $order, From 266376af2e0cc52868fc345554440b81460da114 Mon Sep 17 00:00:00 2001 From: Derky Date: Thu, 21 Sep 2023 15:48:01 +0200 Subject: [PATCH 3/3] [ticket/security/279] Use utf8_basename for smilies pak file check SECURITY-279 --- phpBB/includes/acp/acp_icons.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/acp/acp_icons.php b/phpBB/includes/acp/acp_icons.php index e577762506..0a5eec4471 100644 --- a/phpBB/includes/acp/acp_icons.php +++ b/phpBB/includes/acp/acp_icons.php @@ -550,7 +550,7 @@ class acp_icons trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); } - if (!($pak_ary = @file($phpbb_root_path . $img_path . '/' . basename($pak)))) + if (!($pak_ary = @file($phpbb_root_path . $img_path . '/' . utf8_basename($pak)))) { trigger_error($user->lang['PAK_FILE_NOT_READABLE'] . adm_back_link($this->u_action), E_USER_WARNING); }