Switch from using pgrep to compare against getimagesize()['mime']
to directly comparing IMAGETYPEs against getimagesize()[2].
Replace user-supplied filename with a random string, and supply
an extension based on the image type provided by getimagesize().
WARNING: THESE FIXES DO NOT FIX THE UNDERLYING PROBLEM. THIS CAN
ONLY BE FIXED BY FORBIDDING SCRIPT EXECUTION IN THE UPLOADS DIRECTORY!!!!
Note: Only the second fix is likely to improve security. The first one should be a speed improvement (greps are relatively expensive). I also added a missing check to make sure getimagesize() didn't return FALSE.
Again, this does NOT fully fix the issue, it only mitigates it. A full fix is only possible (as far as I can tell) by either disabling user avatars or making sure no scripts can be run in the uploads folder.
Switch from using pgrep to compare against getimagesize()['mime'] to directly comparing IMAGETYPEs against getimagesize()[2].
Replace user-supplied filename with a random string, and supply an extension based on the image type provided by getimagesize().
WARNING: THESE FIXES DO NOT FIX THE UNDERLYING PROBLEM. THIS CAN ONLY BE FIXED BY FORBIDDING SCRIPT EXECUTION IN THE UPLOADS DIRECTORY!!!!
Note: Only the second fix is likely to improve security. The first one should be a speed improvement (greps are relatively expensive). I also added a missing check to make sure getimagesize() didn't return FALSE.
Again, this does NOT fully fix the issue, it only mitigates it. A full fix is only possible (as far as I can tell) by either disabling user avatars or making sure no scripts can be run in the uploads folder.