Release phpwcms v1.9.46, the legacy version

Merge branch 'v1.9-dev' into phpwcms-legacy

Author: slackero

README.md

@@ -26,7 +26,7 @@ root or sub folder. Link your browser to the related URL and follow the install
 Server system requirements
 --------------------------
 
-**phpwcms** version 1.9.45 requires a web server with PHP 7.4 or newer.
+**phpwcms** version 1.9.46 requires a web server with PHP 7.4 or newer.
 and a MySQL/MariaDB database (minimum version 5.1, recommend 5.5+).
 If you already use PHP v8.x you should use the latest version of
 [**phpwcms v1.10**](https://github.com/slackero/phpwcms/releases?q=1.10&expanded=true).

composer.json

@@ -11,23 +11,26 @@
         "algo26-matthias/idna-convert": "^v3.2.0",
         "enshrined/svg-sanitize": "^0.21.0",
         "netcarver/textile": "v4.1.3",
-        "league/commonmark": "^2.6.1",
+        "league/commonmark": "^2.7.0",
         "ezyang/htmlpurifier": "^v4.18.0",
         "openpsa/universalfeedcreator": "^v1.9.0",
-        "phpmailer/phpmailer": "^v6.9.3",
+        "phpmailer/phpmailer": "^v6.10.0",
         "phpoffice/phpspreadsheet": "^1.29.10",
         "simplepie/simplepie": "@dev",
         "html2text/html2text": "^4.3.2",
-        "symfony/polyfill-mbstring": "^v1.31.0",
-        "symfony/polyfill-php73": "^v1.31.0",
-        "symfony/polyfill-php74": "^v1.31.0",
-        "symfony/polyfill-php80": "^v1.31.0",
-        "symfony/polyfill-php81": "^v1.31.0",
-        "symfony/polyfill-php82": "^v1.31.0",
-        "symfony/polyfill-php83": "^v1.31.0",
+        "symfony/polyfill-mbstring": "^v1.32.0",
+        "symfony/polyfill-php73": "^v1.32.0",
+        "symfony/polyfill-php74": "^v1.32.0",
+        "symfony/polyfill-php80": "^v1.32.0",
+        "symfony/polyfill-php81": "^v1.32.0",
+        "symfony/polyfill-php82": "^v1.32.0",
+        "symfony/polyfill-php83": "^v1.32.0",
         "ext-intl": "*",
         "ext-gd": "*",
         "ext-mysqli": "*",
         "ext-mbstring": "*"
+    },
+    "require-dev": {
+        "roave/security-advisories": "dev-latest"
     }
 }

image_resized.php

@@ -11,70 +11,93 @@
 
 // <img src="image_resized.php?format=jpg&w=100&h=200&q=85&imgfile=test.jpg" alt="" border="0">
 
-$img_target = (isset($_GET['format'])) ? strtolower(trim($_GET['format'])) : 'jpg';
-$img_file   = (isset($_GET['imgfile'])) ? trim($_GET['imgfile']) : 'img/leer.gif';
-$img_width  = (isset($_GET['w'])) ? intval($_GET['w']) : 0;
-$img_height = (isset($_GET['h'])) ? intval($_GET['h']) : 0;
-$img_quality= (isset($_GET['q']) && intval($_GET['q']) <= 100 && intval($_GET['q'])) ? intval($_GET['q']) : 75;
-
-$img_file   = str_replace(array('http://', 'https://'), '', $img_file);
-
-switch($img_target) {
+$img_target = isset($_GET['format']) ? strtolower(trim($_GET['format'])) : 'jpg';
+$img_file = isset($_GET['imgfile']) ? trim(urldecode($_GET['imgfile'])) : 'img/leer.gif';
+$img_width = isset($_GET['w']) ? (int)$_GET['w'] : 0;
+$img_height = isset($_GET['h']) ? (int)$_GET['h'] : 0;
+$img_quality = isset($_GET['q']) && (int)$_GET['q'] <= 100 && (int)$_GET['q'] ? (int)$_GET['q'] : 75;
+$result = false;
+
+// Ensure no protocol handlers (http://…) or something like C:\ or C:/ or ./ or ../ is part of the file name
+if (
+    $img_file
+    &&
+    (
+        $img_file[0] === '.'
+        ||
+        $img_file[0] === '/'
+        ||
+        $img_file[0] === '\\'
+        ||
+        strpos($img_file, ':/') !== false
+        ||
+        strpos($img_file, './') !== false
+        ||
+        strpos($img_file, ':\\') !== false
+        ||
+        strpos($img_file, '.\\') !== false
+    )
+) {
+    $img_file = '';
+} else {
+    // Absolute path only related to the current directory
+    $img_file = __DIR__ . '/' . $img_file;
+}
 
+switch ($img_target) {
     case 'png':
-        $img_mimetype   = 'image/png';
-        $img_target     = 'jpg';
+        $img_mimetype = 'image/png';
+        $img_target = 'jpg';
         break;
 
     case 'gif':
-        if(function_exists('imagegif')) {
+        if (function_exists('imagegif')) {
             $img_mimetype = 'image/gif';
-            $img_target   = 'gif';
+            $img_target = 'gif';
         } else {
-            $img_target   = 'png';
+            $img_target = 'png';
             $img_mimetype = 'image/png';
         }
         break;
 
     case 'webp':
-        $img_mimetype   = 'image/webp';
-        $img_target     = 'webp';
+        $img_mimetype = 'image/webp';
+        $img_target = 'webp';
         break;
 
     case 'jpeg':
     case 'jpg':
     default:
-        $img_mimetype   = 'image/jpeg';
-        $img_target     = 'jpg';
-
+        $img_mimetype = 'image/jpeg';
+        $img_target = 'jpg';
 }
 
-if(is_file($img_file) && $img_info = getimagesize($img_file)) {
+if ($img_file !== '' && is_readable($img_file) && $img_info = getimagesize($img_file)) {
 
-    if(!$img_width || $img_width >= $img_info[0]) {
+    if (!$img_width || $img_width >= $img_info[0]) {
         $percent_width = 1;
     } else {
         $percent_width = $img_width / $img_info[0];
     }
 
-    if(!$img_height || $img_height >= $img_info[1]) {
+    if (!$img_height || $img_height >= $img_info[1]) {
         $percent_height = 1;
     } else {
         $percent_height = $img_height / $img_info[1];
     }
 
-    if($percent_height < $percent_width) {
+    if ($percent_height < $percent_width) {
         $percent = $percent_height;
-    } elseif($percent_height > $percent_width) {
+    } elseif ($percent_height > $percent_width) {
         $percent = $percent_width;
     } else {
         $percent = $percent_width;
     }
 
-    $img_width  = $img_info[0] * $percent;
+    $img_width = $img_info[0] * $percent;
     $img_height = $img_info[1] * $percent;
 
-    switch($img_target) {
+    switch ($img_target) {
         case 'jpg':
         case 'png':
         case 'webp':
@@ -86,8 +109,7 @@
             break;
     }
 
-    switch($img_info[2]) {
-
+    switch ($img_info[2]) {
         case IMAGETYPE_GIF: // GIF
             $img_source = imagecreatefromgif($img_file);
             break;
@@ -105,41 +127,37 @@
             break;
     }
 
-    imagecopyresized($new_img, $img_source, 0, 0, 0, 0, $img_width, $img_height, $img_info[0], $img_info[1]);
-
-    header('Content-type: '.$img_mimetype);
-
-    switch($img_target) {
-
-        case 'jpg':
-            imagejpeg($new_img, NULL, $img_quality);
-            break;
-
-        case 'webp':
-            imagewebp($new_img, NULL, $img_quality);
-            break;
-
-        case 'png':
-            imagepng($new_img, NULL, 9);
-            break;
-
-        case 'gif':
-            imagegif($new_img);
-            break;
-
+    $result = imagecopyresized($new_img, $img_source, 0, 0, 0, 0, $img_width, $img_height, $img_info[0], $img_info[1]);
+
+    if ($result) {
+        header('Content-type: ' . $img_mimetype);
+
+        switch ($img_target) {
+            case 'jpg':
+                $result = imagejpeg($new_img, NULL, $img_quality);
+                break;
+            case 'webp':
+                $result = imagewebp($new_img, NULL, $img_quality);
+                break;
+            case 'png':
+                $result = imagepng($new_img, NULL, 9);
+                break;
+            case 'gif':
+                $result = imagegif($new_img);
+                break;
+        }
     }
 
     imagedestroy($new_img);
     imagedestroy($img_source);
+}
 
-} else {
-
-    // error / no image
-    header ('Content-type: image/png');
+// Error / no image
+if (!$result) {
+    header('Content-type: image/png');
     $new_img = imagecreatetruecolor(75, 20);
     $text_color = imagecolorallocate($new_img, 255, 255, 255);
-    imagestring($new_img, 1, 5, 5,  "Image Error", $text_color);
+    imagestring($new_img, 1, 5, 5, 'Image Error', $text_color);
     imagepng($new_img, NULL, 9);
     imagedestroy($new_img);
-
 }

include/inc_front/content.func.inc.php

@@ -461,7 +461,7 @@
     $sql .= "WHERE template_trash=0 ORDER BY template_default DESC LIMIT 1";
     $result = _dbQuery($sql);
     if(isset($result[0]['template_var'])) {
-        $block = @unserialize($result[0]['template_var']);
+        $block = @unserialize($result[0]['template_var'], ['allowed_classes' => false]);
     }
 }
 
@@ -515,7 +515,7 @@
 $sql .= " LIMIT 1";
 $result = _dbQuery($sql);
 if(isset($result[0]['pagelayout_var'])) {
-    $pagelayout = @unserialize($result[0]['pagelayout_var']);
+    $pagelayout = @unserialize($result[0]['pagelayout_var'], ['allowed_classes' => false]);
     // if print action
     if($aktion[2] === 1) {
         $pagelayout = array(

include/inc_front/content/cnt0.article.inc.php

@@ -40,7 +40,7 @@
 $crow["acontent_template"] = render_cnt_template($crow["acontent_template"], 'TITLE', html_specialchars($crow['acontent_title']));
 $crow["acontent_template"] = render_cnt_template($crow["acontent_template"], 'SUBTITLE', html_specialchars($crow['acontent_subtitle']));
 
-$crow["acontent_form"] = @unserialize($crow["acontent_form"]);
+$crow["acontent_form"] = @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 $crow["acontent_form"] = isset($crow["acontent_form"]['ctext_format']) ? $crow["acontent_form"]['ctext_format'] : 'plain';
 
 switch($crow["acontent_form"]) {

include/inc_front/content/cnt13.article.inc.php

@@ -278,7 +278,7 @@
 
                             case 29:    $s_text .= ' '.$scrow['acontent_text'];
                             case 2:     if($content['search']['search_caption'] || $content['search']['search_filename']) {
-                                            $scrow['acontent_form'] = @unserialize($scrow['acontent_form']);
+                                            $scrow['acontent_form'] = @unserialize($scrow['acontent_form'], ['allowed_classes' => false]);
                                             if(isset($scrow['acontent_form']['images']) && is_array($scrow['acontent_form']['images']) && count($scrow['acontent_form']['images'])) {
                                                 $s_imgname = '';
                                                 foreach($scrow['acontent_form']['images'] as $s_imgtext) {
@@ -306,7 +306,7 @@
 
                             case 31:    $s_text .= ' '.$scrow['acontent_html'];
                                         if($content['search']['search_caption'] || $content['search']['search_filename']) {
-                                            $scrow['acontent_form'] = @unserialize($scrow['acontent_form']);
+                                            $scrow['acontent_form'] = @unserialize($scrow['acontent_form'], ['allowed_classes' => false]);
                                             if(isset($scrow['acontent_form']['images']) && is_array($scrow['acontent_form']['images']) && count($scrow['acontent_form']['images'])) {
                                                 foreach($scrow['acontent_form']['images'] as $s_imgtext) {
                                                     if($content['search']['search_caption']) {
@@ -323,7 +323,7 @@
 
                             // search recipe
                             case 26:    $s_text .= ' '.$scrow['acontent_text'].' '.$scrow['acontent_html'];
-                                        $scrow['acontent_form'] = @unserialize($scrow['acontent_form']);
+                                        $scrow['acontent_form'] = @unserialize($scrow['acontent_form'], ['allowed_classes' => false]);
                                         if(isset($scrow['acontent_form']['preparation'])) {
                                             $s_text .= ' '.$scrow['acontent_form']['preparation'].' '.$scrow['acontent_form']['ingredients'];
                                             $s_text .= ' '.$scrow['acontent_form']['calorificvalue'].' '.$scrow['acontent_form']['calorificvalue_add'];

include/inc_front/content/cnt14.article.inc.php

@@ -40,7 +40,7 @@
 $crow["acontent_template"] = render_cnt_template($crow["acontent_template"], 'TITLE', html($crow['acontent_title']));
 $crow["acontent_template"] = render_cnt_template($crow["acontent_template"], 'SUBTITLE', html($crow['acontent_subtitle']));
 
-$crow['custom_fields'] = empty($crow["acontent_form"]) ? null : @unserialize($crow["acontent_form"]);
+$crow['custom_fields'] = empty($crow["acontent_form"]) ? null : @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 
 if(is_array($crow['custom_fields']) && !empty($crow["custom_fields"]['cnt_fields'])) {
 

include/inc_front/content/cnt2.article.inc.php

@@ -10,7 +10,7 @@
  **/
 
 //images (gallery)
-$image = @unserialize($crow["acontent_form"]);
+$image = @unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 
 if(is_array($image) && ($image_count = count($image))) {
 

include/inc_front/content/cnt21.article.inc.php

@@ -34,7 +34,7 @@
 }
 
 $CNT_TMP .= headline($crow['acontent_title'], $crow['acontent_subtitle'], $template_default['article']);
-$content['page_file'] = @unserialize($crow['acontent_form']);
+$content['page_file'] = @unserialize($crow['acontent_form'], ['allowed_classes' => false]);
 if(!empty($content['page_file']['source'])) {
 	$CNT_TMP .= empty($content['page_file']['pfile']) ? '' : include_url($content['page_file']['pfile']);
 } elseif(!empty($content['page_file']['pfile'])) {

include/inc_front/content/cnt23.article.inc.php

@@ -19,7 +19,7 @@
 include_once PHPWCMS_ROOT.'/include/inc_front/content/cnt_functions/cnt23.func.inc.php';
 
 // Form
-$cnt_form = unserialize($crow["acontent_form"]);
+$cnt_form = unserialize($crow["acontent_form"], ['allowed_classes' => false]);
 
 if(empty($cnt_form['anchor_off'])) {
     $CNT_TMP .= '<a id="';
@@ -130,7 +130,7 @@
             $doubleoptin_error = true;
         } else {
             $doubleoptin_values = $doubleoptin_values[0];
-            $doubleoptin_values['formresult_content'] = unserialize($doubleoptin_values['formresult_content']);
+            $doubleoptin_values['formresult_content'] = unserialize($doubleoptin_values['formresult_content'], ['allowed_classes' => false]);
             if(empty($doubleoptin_values['formresult_content']['hash']) || $doubleoptin_values['formresult_content']['hash'] !== $_GET['hash']) {
                 $doubleoptin_values = null;
                 $doubleoptin_error = true;