update class.upload to v2.1.6, phpThumb to 1.7.22

Author: dleffler

external/ExtPrograms.csv

@@ -6,7 +6,7 @@ EmailValidator,3.2.6,github.com/egulias/EmailValidator,3.2.6/4.0.1,needed by swi
 ups-php,0.2,github.com/sanbornm/ups-php,0.2,"updated/fixed xml, etc to work"
 fedex-php,31.0.0,www.fedex.com/wpor/web/jsp/drclinks.jsp?links=wss/getstarted.html,31.0.0,copy/edit RateAvailableServicesWebServiceClient.php into fedexshippingcalculator->getRates()
 Smarty,3.1.27/4.3.4,smarty.net,4.3.4,
-phpthumb,1.7.21exp,github.com/JamesHeinrich/phpThumb,1.7.21,phpThumb.config.php - we also allow &amp in parsing and err command
+phpthumb,1.7.22exp,github.com/JamesHeinrich/phpThumb,1.7.22,phpThumb.config.php - we also allow &amp in parsing and err command
 getid3,1.9.22,github.com/JamesHeinrich/getID3,1.9.22,
 minify,2.3.3,github.com/mrclay/minify,2.3.3/3.0.14,modify config.php
 YUI2,2.9.0,developer.yahoo.com/yui/2,2.9.0,
@@ -20,7 +20,7 @@ Twitter model,2.3.1,github.com/tijsverkoyen/TwitterOAuth,2.3.1,placed in Twitter
 Twitter API,1.0.6,github.com/J7mbo/twitter-api-php,1.0.6,used by socialmedia module
 SimplePie,1.7.0,github.com/simplepie/simplepie,1.8.0,php 8 fix
 pixidou,0.1exp,github.com/asvinb/pixidou,0.1,"placed in Pixidou module, heavily modified at this point"
-class.upload,2.1.4exp,github.com/verot/class.upload.php,2.1.4,"Correct flip operation where flip vertical & horizontal were inverted/swapped, php 8 fix"
+class.upload,2.1.6exp,github.com/verot/class.upload.php,2.1.6,"Correct flip operation where flip vertical & horizontal were inverted/swapped, php 8 fix"
 iCalCreator,2.28.2,github.com/iCalcreator/iCalcreator,2.40.10/2.41.83,uncomment load utilities; php 8 fix
 scssphp,1.11.1exp,github.com/scssphp/scssphp,1.11.1,includes example server; hack to compile newui
 lessphp,0.5.0exp,github.com/leafo/lessphp,0.5.0,"will not compile bootstrap v3+, hack to allow prefix"

external/class.upload/README.md

@@ -89,10 +89,10 @@ Don't forget to add `enctype="multipart/form-data"` in your form tag `<form>` if
 
 ### Namespacing
 
-The class is now namespaced in the `Verot/Upload` namespace. If you have the error *Fatal error:  Class 'Upload' not found*, then make sure your file belongs to the namespace, or instantiate the class with its fully qualified name:
+The class is now namespaced in the `Verot/Upload` namespace. If you have the error *Fatal error:  Class 'Upload' not found*, then `use` the class fully qualified name, or instantiate the class with its fully qualified name:
 
 ```php
-namespace Verot\Upload;
+use Verot\Upload\Upload;
 $handle = new Upload($_FILES['image_field']);
 ```
 or
@@ -168,6 +168,23 @@ echo $handle->process();
 die();
 ```
 
+### Warning about security 
+
+By default, the class relies on MIME type detection to assess whether the file can be uploaded or not. Several MIME type detection methods are used, depending on the server configuration. The class relies on a blacklist of dangerous file extensions to prevent uploads (or to rename dangerous scripts as text files), as well as a whitelist of accepted MIME types.
+
+But it is not the purpose of this class to do in-depth checking and heuristics to attempt to detect maliciously crafted files. For instance, an attacker can craft a file that will have the correct MIME type, but will carry a malicious payload, such as a valid GIF file which would contain some code leading to a XSS vulnerability. If this GIF file has a .html extension, it may be uploaded (depending on the class's settings) and display an XSS vulnerability. 
+
+However, you can mitigate this by restricting the kind of files that can be uploaded, using `allowed` and `forbidden`, to whitelist and blacklist files depending on their MIME type or extension. *The most secure option would be to only whitelist extensions that you want to allow through, and then making sure that your server always serves the file with the content-type based on the file extension.* 
+
+For instance, if you only want to allow one type of file, you could whitelist only its file extension. In the following example, only .html files are let through, and are not converted to a text file:
+```php
+$handle->allowed   = array('html');
+$handle->forbidden = array();
+$handle->no_script = false;
+```
+
+In the end, it is your responsibility to make sure the correct files are uploaded. But more importantly, it is your responsibility to serve the uploaded files correctly, for instance by forcing the server to always provide the content-type based on the file extension.
+
 
 ### Troubleshooting
 

external/class.upload/class.upload.php

@@ -1892,6 +1892,8 @@ function init() {
             'bat',
             'phar',
             'wsdl',
+            'html',
+            'htm',
         );
 
         $this->forbidden = array_merge($this->dangerous, array(
@@ -2118,7 +2120,7 @@ function  __construct($file, $lang = 'en_GB')  {
      */
     function upload($file, $lang = 'en_GB') {
 
-        $this->version            = '09/12/2022';
+        $this->version            = '07/12/2023';
 
         $this->file_src_name      = '';
         $this->file_src_name_body = '';
@@ -5239,5 +5241,3 @@ function imagebmp(&$im, $filename = "") {
         return true;
     }
 }
-
-?>

external/class.upload/lang/class.upload.tr_TR.php

@@ -1,4 +1,3 @@
-
 <?php
 // +------------------------------------------------------------------------+
 // | class.upload.tr_TR.php                                                 |

external/phpThumb/phpthumb.class.php

@@ -265,7 +265,7 @@ class phpthumb {
 	public $issafemode       = null;
 	public $php_memory_limit = null;
 
-	public $phpthumb_version = '1.7.21-202307141720';
+	public $phpthumb_version = '1.7.22-202312071641';
 
 	//////////////////////////////////////////////////////////////////////
 
@@ -314,7 +314,7 @@ public function __destruct() {
 		$this->purgeTempFiles();
 	}
 
-	public function __set(string $name, mixed $value): void {
+	public function __set(string $name, $value): void {
 	}
 
 	// public: