From 79a3ad65ef022533f568a9795710a339e5bef4a4 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Thu, 23 Sep 2004 20:57:35 +0000
Subject: [PATCH] Verify known image types on upload.

---
 includes/SpecialUpload.php | 74 ++++++++++++++++++++++++++++++++++++++
 languages/Language.php     |  1 +
 2 files changed, 75 insertions(+)

diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php
index 6bf243c073..6401f85189 100644
--- a/includes/SpecialUpload.php
+++ b/includes/SpecialUpload.php
@@ -172,6 +172,10 @@ class UploadForm {
 				return $this->uploadError( wfMsg( 'badfiletype', htmlspecialchars( $ext ) ) );
 			}
 			
+			if( !$this->verify( $this->mUploadTempName, $ext ) ) {
+				return $this->uploadError( wfMsg( 'uploadcorrupt' ) );
+			}
+			
 			$this->saveUploadedFile( $this->mUploadSaveName, $this->mUploadTempName );
 			if ( !$nt->userCanEdit() ) {
 				return $this->uploadError( wfMsg( 'protectedpage' ) );
@@ -396,5 +400,75 @@ class UploadForm {
 	<input tabindex='5' type='submit' name=\"wpUpload\" value=\"{$ulb}\" />
 	</td></tr></table></form>\n" );
 	}
+	
+	function verify( $tmpfile, $extension ) {
+		$fname = 'SpecialUpload::verify';
+		$mergeExtensions = array(
+			'jpg' => 'jpeg',
+			'tif' => 'tiff' );
+		$extensionTypes = array(
+			# See http://www.php.net/getimagesize
+			1 => 'gif',
+			2 => 'jpeg',
+			3 => 'png',
+			4 => 'swf',
+			5 => 'psd',
+			6 => 'bmp',
+			7 => 'tiff',
+			8 => 'tiff',
+			9 => 'jpc',
+			10 => 'jp2',
+			11 => 'jpx',
+			12 => 'jb2',
+			13 => 'swc',
+			14 => 'iff',
+			15 => 'wbmp',
+			16 => 'xbm' );
+		
+		$extension = strtolower( $extension );
+		if( isset( $mergeExtensions[$extension] ) ) {
+			$extension = $mergeExtensions[$extension];
+		}
+		wfDebug( "$fname: Testing file '$tmpfile' with given extension '$extension'\n" );
+		
+		if( !in_array( $extension, $extensionTypes ) ) {
+			# Not a recognized image type. We don't know how to verify these.
+			# They're allowed by policy or they wouldn't get this far, so we'll
+			# let them slide for now.
+			wfDebug( "$fname: Unknown extension; passing.\n" );
+			return true;
+		}
+		
+		$data = @getimagesize( $tmpfile );
+		if( false === $data ) {
+			# Didn't recognize the image type.
+			# Either the image is corrupt or someone's slipping us some
+			# bogus data such as HTML+JavaScript trying to take advantage
+			# of an Internet Explorer security flaw.
+			wfDebug( "$fname: getimagesize() doesn't recognize the file; rejecting.\n" );
+			return false;
+		}
+		
+		$imageType = $data[2];
+		if( !isset( $extensionTypes[$imageType] ) ) {
+			# Now we're kind of confused. Perhaps new image types added
+			# to PHP's support that we don't know about.
+			# We'll let these slide for now.
+			wfDebug( "$fname: getimagesize() knows the file, but we don't recognize the type; passing.\n" );
+			return true;
+		}
+		
+		$ext = strtolower( $extension );
+		if( $extension != $extensionTypes[$imageType] ) {
+			# The given filename extension doesn't match the
+			# file type. Probably just a mistake, but it's a stupid
+			# one and we shouldn't let it pass. KILL THEM!
+			wfDebug( "$fname: file extension does not match recognized type; rejecting.\n" );
+			return false;
+		}
+		
+		wfDebug( "$fname: all clear; passing.\n" );
+		return true;
+	}
 }
 ?>
diff --git a/languages/Language.php b/languages/Language.php
index 2d04101c88..a30921816e 100644
--- a/languages/Language.php
+++ b/languages/Language.php
@@ -911,6 +911,7 @@ created and by whom, and anything else you may know about it. If this is an imag
 'savefile'		=> 'Save file',
 'uploadedimage' => "uploaded \"$1\"",
 'uploaddisabled' => 'Sorry, uploading is disabled.',
+'uploadcorrupt' => 'The file is corrupt or has an incorrect extension. Please check the file and upload again.',
 
 # Image list
 #
-- 
2.20.1