From fa8996e10f61d2d0de9c8027bf2de44d30f50da0 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 20 Sep 2019 16:26:21 +0200
Subject: [PATCH] issue #1073 prevents from making uploaded file executable

* for the name of the file in buffer directory, do not use the name given by the user, but the md5 of the name without extension
* function add_uploaded_file deletes uploaded file if not expected
---
 admin/include/functions_upload.inc.php | 2 ++
 include/ws_functions/pwg.images.php    | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/admin/include/functions_upload.inc.php b/admin/include/functions_upload.inc.php
index 4869eb795..69dcedc89 100644
--- a/admin/include/functions_upload.inc.php
+++ b/admin/include/functions_upload.inc.php
@@ -237,11 +237,13 @@ SELECT
       }
       else
       {
+        unlink($source_filepath);
         die('unexpected file type');
       }
     }
     else
     {
+      unlink($source_filepath);
       die('forbidden file type');
     }
 
diff --git a/include/ws_functions/pwg.images.php b/include/ws_functions/pwg.images.php
index 62a4a9bd6..6a8685437 100644
--- a/include/ws_functions/pwg.images.php
+++ b/include/ws_functions/pwg.images.php
@@ -1348,6 +1348,10 @@ function ws_images_upload($params, $service)
     $fileName = uniqid("file_");
   }
 
+  // change the name of the file in the buffer to avoid any unexpected
+  // extension. Function add_uploaded_file will eventually clean the mess.
+  $fileName = md5($fileName);
+
   $filePath = $upload_dir.DIRECTORY_SEPARATOR.$fileName;
 
   // Chunking might be enabled