Fixes file disclosure vulnerability in image_resized.php

- Do not allow protocol handlers or absolute paths
- Force absolute paths related to the current directory
- Some minor changes

Author: slackero

image_resized.php

@@ -11,70 +11,93 @@
 
 // <img src="image_resized.php?format=jpg&w=100&h=200&q=85&imgfile=test.jpg" alt="" border="0">
 
-$img_target = (isset($_GET['format'])) ? strtolower(trim($_GET['format'])) : 'jpg';
-$img_file   = (isset($_GET['imgfile'])) ? trim($_GET['imgfile']) : 'img/leer.gif';
-$img_width  = (isset($_GET['w'])) ? intval($_GET['w']) : 0;
-$img_height = (isset($_GET['h'])) ? intval($_GET['h']) : 0;
-$img_quality= (isset($_GET['q']) && intval($_GET['q']) <= 100 && intval($_GET['q'])) ? intval($_GET['q']) : 75;
-
-$img_file   = str_replace(array('http://', 'https://'), '', $img_file);
-
-switch($img_target) {
+$img_target = isset($_GET['format']) ? strtolower(trim($_GET['format'])) : 'jpg';
+$img_file = isset($_GET['imgfile']) ? trim(urldecode($_GET['imgfile'])) : 'img/leer.gif';
+$img_width = isset($_GET['w']) ? (int)$_GET['w'] : 0;
+$img_height = isset($_GET['h']) ? (int)$_GET['h'] : 0;
+$img_quality = isset($_GET['q']) && (int)$_GET['q'] <= 100 && (int)$_GET['q'] ? (int)$_GET['q'] : 75;
+$result = false;
+
+// Ensure no protocol handlers (http://…) or something like C:\ or C:/ or ./ or ../ is part of the file name
+if (
+    $img_file
+    &&
+    (
+        $img_file[0] === '.'
+        ||
+        $img_file[0] === '/'
+        ||
+        $img_file[0] === '\\'
+        ||
+        strpos($img_file, ':/') !== false
+        ||
+        strpos($img_file, './') !== false
+        ||
+        strpos($img_file, ':\\') !== false
+        ||
+        strpos($img_file, '.\\') !== false
+    )
+) {
+    $img_file = '';
+} else {
+    // Absolute path only related to the current directory
+    $img_file = __DIR__ . '/' . $img_file;
+}
 
+switch ($img_target) {
     case 'png':
-        $img_mimetype   = 'image/png';
-        $img_target     = 'jpg';
+        $img_mimetype = 'image/png';
+        $img_target = 'jpg';
         break;
 
     case 'gif':
-        if(function_exists('imagegif')) {
+        if (function_exists('imagegif')) {
             $img_mimetype = 'image/gif';
-            $img_target   = 'gif';
+            $img_target = 'gif';
         } else {
-            $img_target   = 'png';
+            $img_target = 'png';
             $img_mimetype = 'image/png';
         }
         break;
 
     case 'webp':
-        $img_mimetype   = 'image/webp';
-        $img_target     = 'webp';
+        $img_mimetype = 'image/webp';
+        $img_target = 'webp';
         break;
 
     case 'jpeg':
     case 'jpg':
     default:
-        $img_mimetype   = 'image/jpeg';
-        $img_target     = 'jpg';
-
+        $img_mimetype = 'image/jpeg';
+        $img_target = 'jpg';
 }
 
-if(is_file($img_file) && $img_info = getimagesize($img_file)) {
+if ($img_file !== '' && is_readable($img_file) && $img_info = getimagesize($img_file)) {
 
-    if(!$img_width || $img_width >= $img_info[0]) {
+    if (!$img_width || $img_width >= $img_info[0]) {
         $percent_width = 1;
     } else {
         $percent_width = $img_width / $img_info[0];
     }
 
-    if(!$img_height || $img_height >= $img_info[1]) {
+    if (!$img_height || $img_height >= $img_info[1]) {
         $percent_height = 1;
     } else {
         $percent_height = $img_height / $img_info[1];
     }
 
-    if($percent_height < $percent_width) {
+    if ($percent_height < $percent_width) {
         $percent = $percent_height;
-    } elseif($percent_height > $percent_width) {
+    } elseif ($percent_height > $percent_width) {
         $percent = $percent_width;
     } else {
         $percent = $percent_width;
     }
 
-    $img_width  = $img_info[0] * $percent;
+    $img_width = $img_info[0] * $percent;
     $img_height = $img_info[1] * $percent;
 
-    switch($img_target) {
+    switch ($img_target) {
         case 'jpg':
         case 'png':
         case 'webp':
@@ -86,8 +109,7 @@
             break;
     }
 
-    switch($img_info[2]) {
-
+    switch ($img_info[2]) {
         case IMAGETYPE_GIF: // GIF
             $img_source = imagecreatefromgif($img_file);
             break;
@@ -105,41 +127,37 @@
             break;
     }
 
-    imagecopyresized($new_img, $img_source, 0, 0, 0, 0, $img_width, $img_height, $img_info[0], $img_info[1]);
-
-    header('Content-type: '.$img_mimetype);
-
-    switch($img_target) {
-
-        case 'jpg':
-            imagejpeg($new_img, NULL, $img_quality);
-            break;
-
-        case 'webp':
-            imagewebp($new_img, NULL, $img_quality);
-            break;
-
-        case 'png':
-            imagepng($new_img, NULL, 9);
-            break;
-
-        case 'gif':
-            imagegif($new_img);
-            break;
-
+    $result = imagecopyresized($new_img, $img_source, 0, 0, 0, 0, $img_width, $img_height, $img_info[0], $img_info[1]);
+
+    if ($result) {
+        header('Content-type: ' . $img_mimetype);
+
+        switch ($img_target) {
+            case 'jpg':
+                $result = imagejpeg($new_img, NULL, $img_quality);
+                break;
+            case 'webp':
+                $result = imagewebp($new_img, NULL, $img_quality);
+                break;
+            case 'png':
+                $result = imagepng($new_img, NULL, 9);
+                break;
+            case 'gif':
+                $result = imagegif($new_img);
+                break;
+        }
     }
 
     imagedestroy($new_img);
     imagedestroy($img_source);
+}
 
-} else {
-
-    // error / no image
-    header ('Content-type: image/png');
+// Error / no image
+if (!$result) {
+    header('Content-type: image/png');
     $new_img = imagecreatetruecolor(75, 20);
     $text_color = imagecolorallocate($new_img, 255, 255, 255);
-    imagestring($new_img, 1, 5, 5,  "Image Error", $text_color);
+    imagestring($new_img, 1, 5, 5, 'Image Error', $text_color);
     imagepng($new_img, NULL, 9);
     imagedestroy($new_img);
-
 }