Changeset 3068973

Timestamp:

04/11/2024 12:22:12 PM (20 months ago)

Author:

jarednova

Message:

Update to 1.23.1

Location:

timber-library/trunk/lib

Files:

• Admin.php (modified) (2 diffs)
• Image.php (modified) (1 diff)
• Image/Operation/ToJpg.php (modified) (1 diff)
• Image/Operation/ToWebp.php (modified) (2 diffs)
• ImageHelper.php (modified) (7 diffs)
• Timber.php (modified) (1 diff)

timber-library/trunk/lib/Admin.php

@@ -74 +74 @@
     protected static function update_message_major() {
         $m = '<br><b>Warning:</b> This new version of Timber introduces some major new features which might have unknown effects on your site.';
-
-
-        $m .= self::disable_update();
         return $m;
     }
@@ -119 +116 @@
         if ( $upgrade_magnitude == 'milestone' ) {
             $message = self::update_message_milestone();
-            echo '<br />'.sprintf($message);
+            echo '<br />' . ($message);
             return;
         } elseif ( $upgrade_magnitude == 'major' ) {
             //major version
             $message = self::update_message_major();
-            echo '<br />'.sprintf($message);
+            echo '<br />' . ($message);
             return;
         }
         $message = self::update_message_minor();
-        echo '<br />'.($message);
+        echo '<br />' . ($message);
         return;
 

timber-library/trunk/lib/Image.php

@@ -129 +129 @@
             return $this->get_dimensions_loaded($dim);
         }
+
+        if (!ImageHelper::is_protocol_allowed($this->file_loc) ) {
+            throw new \InvalidArgumentException('The output file scheme is not supported.');
+        }
+
         if ( file_exists($this->file_loc) && filesize($this->file_loc) ) {
             if ( ImageHelper::is_svg( $this->file_loc ) ) {

timber-library/trunk/lib/Image/Operation/ToJpg.php

@@ -43 +43 @@
      */
     public function run( $load_filename, $save_filename ) {
+        if  (!ImageHelper::is_protocol_allowed($load_filename) ) {
+            throw new \InvalidArgumentException('The output file scheme is not supported.');
+        }
 
         if ( !file_exists($load_filename) ) {
             return false;
         }
-        
+
         // Attempt to check if SVG.
         if ( ImageHelper::is_svg($load_filename) ) {

timber-library/trunk/lib/Image/Operation/ToWebp.php

@@ -8 +8 @@
 
 /**
- * This class is used to process webp images. Not all server configurations support webp. 
+ * This class is used to process webp images. Not all server configurations support webp.
  * If webp is not enabled, Timber will generate webp images instead
  * @codeCoverageIgnore
@@ -43 +43 @@
      */
     public function run( $load_filename, $save_filename ) {
+        if (!ImageHelper::is_protocol_allowed($load_filename)) {
+            throw new \InvalidArgumentException('The output file scheme is not supported.');
+        }
+
         if (!is_file($load_filename)) {
             return false;

timber-library/trunk/lib/ImageHelper.php

@@ -33 +33 @@
     static $home_url;
 
+    protected const ALLOWED_PROTOCOLS = ['file', 'http', 'https'];
+
+    protected const WINDOWS_LOCAL_FILENAME_REGEX = '/^[a-z]:(?:[\\\\\/]?(?:[\w\s!#()-]+|[\.]{1,2})+)*[\\\\\/]?/i';
+
     public static function init() {
         self::$home_url = get_home_url();
@@ -122 +126 @@
             return false;
         }
+
+        if (!ImageHelper::is_protocol_allowed($file) ) {
+            throw new \InvalidArgumentException('The output file scheme is not supported.');
+        }
+
         //its a gif so test
         if ( !($fh = @fopen($file, 'rb')) ) {
@@ -151 +160 @@
      */
     public static function is_svg( $file_path ) {
-        if ( ! isset( $file_path ) || '' === $file_path || ! file_exists( $file_path ) ) {
+        if ( ! isset( $file_path ) || '' === $file_path ) {
+            return false;
+        }
+
+        if (!ImageHelper::is_protocol_allowed($file_path) ) {
+            throw new \InvalidArgumentException('The output file scheme is not supported.');
+        }
+
+        if ( ! file_exists( $file_path ) ) {
             return false;
         }
@@ -367 +384 @@
     public static function sideload_image( $file ) {
         $loc = self::get_sideloaded_file_loc($file);
+
+        if  (!ImageHelper::is_protocol_allowed($file) ) {
+            throw new \InvalidArgumentException('The output file scheme is not supported.');
+        }
+
         if ( file_exists($loc) ) {
             return URLHelper::file_system_to_url($loc);
@@ -577 +599 @@
         }
 
+        if  (!ImageHelper::is_protocol_allowed($src) ) {
+            throw new \InvalidArgumentException('The output file scheme is not supported.');
+        }
+
         $allow_fs_write = apply_filters('timber/allow_fs_write', true);
 
@@ -582 +608 @@
             return $src;
         }
-        
+
         $external = false;
         // if external image, load it first
@@ -683 +709 @@
         return $new_path;
     }
+
+    /**
+     * Checks if the protocol of the given filename is allowed.
+     *
+     * This fixes a security issue with a PHAR deserialization vulnerability
+     * with file_exists() in PHP < 8.0.0.
+     *
+     * @param  string $filepath File path.
+     * @return bool
+     */
+    public static function is_protocol_allowed($filepath) {
+        $parsed_url = \parse_url($filepath);
+
+        if (false === $parsed_url) {
+            throw new \InvalidArgumentException('The filename is not valid.');
+        }
+
+        $protocol = isset($parsed_url['scheme'])
+            ? \mb_strtolower($parsed_url['scheme'])
+            : 'file';
+
+        if (
+            \PHP_OS_FAMILY === 'Windows'
+            && \strlen($protocol) === 1
+            && \preg_match(self::WINDOWS_LOCAL_FILENAME_REGEX, $filepath)
+        ) {
+            $protocol = 'file';
+        }
+
+        return \in_array($protocol, self::ALLOWED_PROTOCOLS, true);
+    }
 }

timber-library/trunk/lib/Timber.php

@@ -36 +36 @@
 class Timber {
 
-    public static $version = '1.23.0';
+    public static $version = '1.23.1';
     public static $locations;
     public static $dirname = 'views';