From 4dfb77caf2b77b4b996de6a441a75e409ec1dd12 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@enhancesoft.com>
Date: Mon, 18 Nov 2019 17:38:26 +0000
Subject: [PATCH] Arbitrary Method Invocation
This commit addresses possible Arbitrary Method Invocation via AJAX file upload.
To save some memory osTicket uses callback method to fetch the content of a
file on mail fetch. $file['data'] was overloaded as a callback by simply
checking if the content is callable, resulting in method invocation when
content of the uploaded file is a callable.
The address the issue we're not using locally set callback parameter / method.
---
include/class.file.php | 9 ++++++---
include/class.mailfetch.php | 2 +-
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/include/class.file.php b/include/class.file.php
index 204b7945f..231630153 100644
--- a/include/class.file.php
+++ b/include/class.file.php
@@ -388,12 +388,15 @@ class AttachmentFile extends VerySimpleModel {
$file['data'] = base64_decode($file['data']);
}
}
- if (isset($file['data'])) {
+
+ if (!isset($file['data']) && isset($file['dataclb'])
+ && is_callable($file['dataclb'])) {
// Allow a callback function to delay or avoid reading or
// fetching ihe file contents
- if (is_callable($file['data']))
- $file['data'] = $file['data']();
+ $file['data'] = $file['dataclb']();
+ }
+ if (isset($file['data'])) {
list($key, $file['signature'])
= self::_getKeyAndHash($file['data']);
if (!$file['key'])
diff --git a/include/class.mailfetch.php b/include/class.mailfetch.php
index dd7edd815..d814d1d9f 100644
--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -831,7 +831,7 @@ class MailFetcher {
else {
// only fetch the body if necessary
$self = $this;
- $file['data'] = function() use ($self, $mid, $a) {
+ $file['dataclb'] = function() use ($self, $mid, $a) {
return $self->decode(imap_fetchbody($self->mbox,
$mid, $a['index']), $a['encoding']);
};
--
GitLab