Arbitrary Method Invocation

This commit addresses possible Arbitrary Method Invocation via AJAX file upload. To save some memory osTicket uses callback method to fetch the content of a file on mail fetch. $file['data'] was overloaded as a callback by simply checking if the content is callable, resulting in method invocation when content of the uploaded file is a callable. The address the issue we're not using locally set callback parameter / method.

Arbitrary Method Invocation
4dfb77ca · Peter Rotich · a9834d88 · 4dfb77ca · 4dfb77ca
Commit 4dfb77ca authored 5 years ago by Peter Rotich
--- a/include/class.file.php
+++ b/include/class.file.php
@@ -388,12 +388,15 @@ class AttachmentFile extends VerySimpleModel {
                $file['data'] = base64_decode($file['data']);
            }
        }
-        if (isset($file['data'])) {
+        if (!isset($file['data']) && isset($file['dataclb'])
+                && is_callable($file['dataclb'])) {
            // Allow a callback function to delay or avoid reading or
            // fetching ihe file contents
-            if (is_callable($file['data']))
+            $file['data'] = $file['dataclb']();
-                $file['data'] = $file['data']();
+        }
+        if (isset($file['data'])) {
            list($key, $file['signature'])
                = self::_getKeyAndHash($file['data']);
            if (!$file['key'])

--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -831,7 +831,7 @@ class MailFetcher {
                else {
                    // only fetch the body if necessary
                    $self = $this;
-                    $file['data'] = function() use ($self, $mid, $a) {
+                    $file['dataclb'] = function() use ($self, $mid, $a) {
                        return $self->decode(imap_fetchbody($self->mbox,
                            $mid, $a['index']), $a['encoding']);
                    };