Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
None
-
4
-
Description
NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.
The shouldResizeImage code path in UploadProfilePictureAction.java appears to be vulnerable to path traversal through a user's username provided through to the TemporaryProfilePicture constructor on line 119.
In the execute() method of UploadProfilePictureAction.java on line 117 the following code appears:
if (shouldResizeImage(image)) { TemporaryProfilePicture temporaryProfilePicture = new TemporaryProfilePicture(uploadedFile.getFile(), uploadedFile.getFileName(), new File(BootstrapUtils.getBootstrapManager().getFilePathProperty(ConfluenceBootstrapConstants.TEMP_DIR_PROP)), getRemoteUser().getName()); //noinspection unchecked getSession().put(SessionKeys.TEMPORARY_UPLOADED_PROFILE_PIC, temporaryProfilePicture); return "resize"; }
and it continues through the TemporaryProfilePicture constructor:
public TemporaryProfilePicture(File sourceFile, String imageFileName, File confluenceTempDirectory, String owningUserName) throws IOException { this.confluenceTempDirectory = confluenceTempDirectory.getAbsolutePath(); String fileroot = makeFileRoot(owningUserName); copyOriginalFile(sourceFile, imageFileName, fileroot); makeThumbnailIfNecessary(sourceFile, imageFileName, fileroot); } ... private void copyOriginalFile(File sourceFile, String imageFileName, String fileroot) throws IOException { originalFileName = fileroot + "pp-" + imageFileName; FileUtils.copyFile(sourceFile, getOriginalFile()); getOriginalFile().deleteOnExit(); } private void makeThumbnailIfNecessary(File sourceFile, String imageFileName, String fileroot) throws IOException { // The mime type is not being used by Thumber right now, but we might as well use the proper one. Thumber thumber = new Thumber(Thumbnail.MimeType.PNG); Image sourceImage = thumber.getImage(sourceFile); sourceHeight = sourceImage.getHeight(null); sourceWidth = sourceImage.getWidth(null); if (sourceHeight > MAX_SIDE_LENGTH || sourceWidth > MAX_SIDE_LENGTH) { thumbnailFileName = fileroot + "pp-t-" + imageFileName; Thumber.WidthHeightHelper dimensions = thumber.determineScaleSize(800, 800, sourceWidth, sourceHeight); thumbnailWidth = dimensions.getWidth(); thumbnailHeight = dimensions.getHeight(); BufferedImage scaledImage = thumber.scaleImage(sourceImage, dimensions); ImageIO.write(scaledImage, "png", getThumbnailFile()); getThumbnailFile().deleteOnExit(); } ... private String makeFileRoot(String owningUserName) { return owningUserName + "-" + (int)(Math.random() * 100000) + "-"; } ...
Path traversal can occur in the copyOriginalFile via the user's username, in makeThumbnailIfNecessary in the if (sourceHeight > MAX_SIDE_LENGTH || sourceWidth > MAX_SIDE_LENGTH clause again through the user's username.
Attachments
Issue Links
- relates to
-
CONFCLOUD-26964 Path traversal in UploadProfilePictureAction.java
- Closed