Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-26964

Path traversal in UploadProfilePictureAction.java

    XMLWordPrintable

Details

    Description

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      The shouldResizeImage code path in UploadProfilePictureAction.java appears to be vulnerable to path traversal through a user's username provided through to the TemporaryProfilePicture constructor on line 119.

      In the execute() method of UploadProfilePictureAction.java on line 117 the following code appears:

                  if (shouldResizeImage(image))
            {
                TemporaryProfilePicture temporaryProfilePicture = new TemporaryProfilePicture(uploadedFile.getFile(), uploadedFile.getFileName(), new File(BootstrapUtils.getBootstrapManager().getFilePathProperty(ConfluenceBootstrapConstants.TEMP_DIR_PROP)), getRemoteUser().getName());
                //noinspection unchecked
                getSession().put(SessionKeys.TEMPORARY_UPLOADED_PROFILE_PIC, temporaryProfilePicture);
                return "resize";
            }

      and it continues through the TemporaryProfilePicture constructor:

          public TemporaryProfilePicture(File sourceFile, String imageFileName, File confluenceTempDirectory, String owningUserName) throws IOException
    {
        this.confluenceTempDirectory = confluenceTempDirectory.getAbsolutePath();

        String fileroot = makeFileRoot(owningUserName);
        copyOriginalFile(sourceFile, imageFileName, fileroot);
        makeThumbnailIfNecessary(sourceFile, imageFileName, fileroot);
    }
...
    private void copyOriginalFile(File sourceFile, String imageFileName, String fileroot) throws IOException
    {
        originalFileName = fileroot + "pp-" + imageFileName;
        FileUtils.copyFile(sourceFile, getOriginalFile());
        getOriginalFile().deleteOnExit();
    }

    private void makeThumbnailIfNecessary(File sourceFile, String imageFileName, String fileroot) throws IOException
    {
        // The mime type is not being used by Thumber right now, but we might as well use the proper one.
        Thumber thumber = new Thumber(Thumbnail.MimeType.PNG);
        Image sourceImage = thumber.getImage(sourceFile);

        sourceHeight = sourceImage.getHeight(null);
        sourceWidth = sourceImage.getWidth(null);

        if (sourceHeight > MAX_SIDE_LENGTH || sourceWidth > MAX_SIDE_LENGTH)
        {
            thumbnailFileName = fileroot + "pp-t-" + imageFileName;

            Thumber.WidthHeightHelper dimensions = thumber.determineScaleSize(800, 800, sourceWidth, sourceHeight);
            thumbnailWidth = dimensions.getWidth();
            thumbnailHeight = dimensions.getHeight();

            BufferedImage scaledImage = thumber.scaleImage(sourceImage, dimensions);
            ImageIO.write(scaledImage, "png", getThumbnailFile());
            getThumbnailFile().deleteOnExit();
        }


...
    private String makeFileRoot(String owningUserName)
    {
        return owningUserName + "-" + (int)(Math.random() * 100000) + "-";
    }
...

      Path traversal can occur in the copyOriginalFile via the user's username, in makeThumbnailIfNecessary in the if (sourceHeight > MAX_SIDE_LENGTH || sourceWidth > MAX_SIDE_LENGTH clause again through the user's username.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONFCLOUD-26964 Path traversal in UploadProfilePictureAction.java

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              alwang Alice Wang (Inactive)
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: