[SECURITY] Enclose file type scope when invoking ImageMagick

In order to enclose and avoid type guessing done by ImageMagick based
on mime-type and internal file content checks, new value object class
ImageMagickFile has been introduced as guard for those invocations.

Resolves: #87588
Releases: master, 9.5, 8.7
Security-Commit: 9db2aadc177ba453d935060fabf2d72fd80d0747
Security-Bulletin: TYPO3-CORE-SA-2019-012
Change-Id: Iea1dcd5d2a9af2a37dfaeb64fc31d7322f544e70
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60700
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

Diff for: typo3/sysext/core/Classes/Imaging/GraphicalFunctions.php

@@ -2456,8 +2456,11 @@ public function imageMagickIdentify($imagefile)
             return null;
         }
 
-        $frame = $this->addFrameSelection ? '[0]' : '';
-        $cmd = CommandUtility::imageMagickCommand('identify', CommandUtility::escapeShellArgument($imagefile) . $frame);
+        $frame = $this->addFrameSelection ? 0 : null;
+        $cmd = CommandUtility::imageMagickCommand(
+            'identify',
+            ImageMagickFile::fromFilePath($imagefile, $frame)
+        );
         $returnVal = [];
         CommandUtility::exec($cmd, $returnVal);
         $splitstring = array_pop($returnVal);
@@ -2500,8 +2503,13 @@ public function imageMagickExec($input, $output, $params, $frame = 0)
         }
         // If addFrameSelection is set in the Install Tool, a frame number is added to
         // select a specific page of the image (by default this will be the first page)
-        $frame = $this->addFrameSelection ? '[' . (int)$frame . ']' : '';
-        $cmd = CommandUtility::imageMagickCommand('convert', $params . ' ' . CommandUtility::escapeShellArgument($input . $frame) . ' ' . CommandUtility::escapeShellArgument($output));
+        $frame = $this->addFrameSelection ? (int)$frame : null;
+        $cmd = CommandUtility::imageMagickCommand(
+            'convert',
+            $params
+                . ' ' . ImageMagickFile::fromFilePath($input, $frame)
+                . ' ' . CommandUtility::escapeShellArgument($output)
+        );
         $this->IM_commands[] = [$output, $cmd];
         $ret = CommandUtility::exec($cmd);
         // Change the permissions of the file
@@ -2531,9 +2539,9 @@ public function combineExec($input, $overlay, $mask, $output)
         $parameters = '-compose over'
             . ' -quality ' . $this->jpegQuality
             . ' +matte '
-            . CommandUtility::escapeShellArgument($input) . ' '
-            . CommandUtility::escapeShellArgument($overlay) . ' '
-            . CommandUtility::escapeShellArgument($theMask) . ' '
+            . ImageMagickFile::fromFilePath($input) . ' '
+            . ImageMagickFile::fromFilePath($overlay) . ' '
+            . ImageMagickFile::fromFilePath($theMask) . ' '
             . CommandUtility::escapeShellArgument($output);
         $cmd = CommandUtility::imageMagickCommand('combine', $parameters);
         $this->IM_commands[] = [$output, $cmd];
@@ -2578,7 +2586,7 @@ public static function gifCompress($theFile, $type)
             if (@rename($theFile, $temporaryName)) {
                 $cmd = CommandUtility::imageMagickCommand(
                     'convert',
-                    implode(' ', CommandUtility::escapeShellArguments([$temporaryName, $theFile])),
+                    ImageMagickFile::fromFilePath($temporaryName) . ' ' . CommandUtility::escapeShellArgument($theFile),
                     $gfxConf['processor_path_lzw']
                 );
                 CommandUtility::exec($cmd);
@@ -2628,7 +2636,7 @@ public static function readPngGif($theFile, $output_png = false)
         $newFile = Environment::getPublicPath() . '/typo3temp/assets/images/' . md5($theFile . '|' . filemtime($theFile)) . ($output_png ? '.png' : '.gif');
         $cmd = CommandUtility::imageMagickCommand(
             'convert',
-            implode(' ', CommandUtility::escapeShellArguments([$theFile, $newFile])),
+            ImageMagickFile::fromFilePath($theFile) . ' ' . CommandUtility::escapeShellArgument($newFile),
             $GLOBALS['TYPO3_CONF_VARS']['GFX']['processor_path']
         );
         CommandUtility::exec($cmd);

Diff for: typo3/sysext/core/Classes/Imaging/ImageMagickFile.php

@@ -0,0 +1,223 @@
+<?php
+declare(strict_types = 1);
+namespace TYPO3\CMS\Core\Imaging;
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+use TYPO3\CMS\Core\Exception;
+use TYPO3\CMS\Core\Type\File\FileInfo;
+use TYPO3\CMS\Core\Utility\CommandUtility;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+
+/**
+ * Value object for file to be used for ImageMagick/GraphicsMagick invocation when
+ * being used as input file (implies and requires that file exists for some evaluations).
+ */
+class ImageMagickFile
+{
+    /**
+     * Path to input file to be processed
+     *
+     * @var string
+     */
+    protected $filePath;
+
+    /**
+     * Frame to be used (of multi-page document, e.g. PDF)
+     *
+     * @var int|null
+     */
+    protected $frame;
+
+    /**
+     * Whether file actually exists
+     *
+     * @var bool
+     */
+    protected $fileExists;
+
+    /**
+     * File extension as given in $filePath (e.g. 'file.png' -> 'png')
+     *
+     * @var string
+     */
+    protected $fileExtension;
+
+    /**
+     * Resolved mime-type of file
+     *
+     * @var string
+     */
+    protected $mimeType;
+
+    /**
+     * Resolved extension for mime-type (e.g. 'image/png' -> 'png')
+     * (might be empty if not defined in magic.mime database)
+     *
+     * @var string[]
+     * @see FileInfo::getMimeExtensions()
+     */
+    protected $mimeExtensions = [];
+
+    /**
+     * Result to be used for ImageMagick/GraphicsMagick invocation containing
+     * combination of resolved format prefix, $filePath and frame escaped to be
+     * used as CLI argument (e.g. "'png:file.png'")
+     *
+     * @var string
+     */
+    protected $asArgument;
+
+    /**
+     * File extensions that directly can be used (and are considered to be safe).
+     *
+     * @var string[]
+     */
+    protected $allowedExtensions = ['png', 'jpg', 'jpeg', 'gif', 'webp', 'tif', 'tiff', 'bmp', 'pcx', 'tga', 'ico'];
+
+    /**
+     * File extensions that never shall be used.
+     *
+     * @var string[]
+     */
+    protected $deniedExtensions = ['epi', 'eps', 'eps2', 'eps3', 'epsf', 'epsi', 'ept', 'ept2', 'ept3', 'msl', 'ps', 'ps2', 'ps3'];
+
+    /**
+     * File mime-types that have to be matching. Adding custom mime-types is possible using
+     * $GLOBALS['TYPO3_CONF_VARS']['SYS']['FileInfo']['fileExtensionToMimeType']
+     *
+     * @var string[]
+     * @see FileInfo::getMimeExtensions()
+     */
+    protected $mimeTypeExtensionMap = [
+        'image/png' => 'png',
+        'image/jpeg' => 'jpg',
+        'image/gif' => 'gif',
+        'image/heic' => 'heic',
+        'image/heif' => 'heif',
+        'image/webp' => 'webp',
+        'image/svg' => 'svg',
+        'image/svg+xml' => 'svg',
+        'image/tiff' => 'tif',
+        'application/pdf' => 'pdf',
+    ];
+
+    /**
+     * @param string $filePath
+     * @param int|null $frame
+     * @return ImageMagickFile
+     */
+    public static function fromFilePath(string $filePath, int $frame = null): self
+    {
+        return GeneralUtility::makeInstance(
+            static::class,
+            $filePath,
+            $frame
+        );
+    }
+
+    /**
+     * @param string $filePath
+     * @param int|null $frame
+     * @throws Exception
+     */
+    public function __construct(string $filePath, int $frame = null)
+    {
+        $this->frame = $frame;
+        $this->fileExists = file_exists($filePath);
+        $this->filePath = $filePath;
+        $this->fileExtension = pathinfo($filePath, PATHINFO_EXTENSION);
+
+        if ($this->fileExists) {
+            $fileInfo = $this->getFileInfo($filePath);
+            $this->mimeType = $fileInfo->getMimeType();
+            $this->mimeExtensions = $fileInfo->getMimeExtensions();
+        }
+
+        $this->asArgument = $this->escape(
+            $this->resolvePrefix() . $this->filePath
+            . ($this->frame !== null ? '[' . $this->frame . ']' : '')
+        );
+    }
+
+    /**
+     * @return string
+     */
+    public function __toString(): string
+    {
+        return $this->asArgument;
+    }
+
+    /**
+     * Resolves according ImageMagic/GraphicsMagic format (e.g. 'png:', 'jpg:', ...).
+     * + in case mime-type could be resolved and is configured, it takes precedence
+     * + otherwise resolved mime-type extension of mime.magick database is used if available
+     *   (includes custom settings with $GLOBALS['TYPO3_CONF_VARS']['SYS']['FileInfo']['fileExtensionToMimeType'])
+     * + otherwise "safe" and allowed file extension is used (jpg, png, gif, webp, tif, ...)
+     * + potentially malicious script formats (eps, ps, ...) are not allowed
+     *
+     * @return string
+     * @throws Exception
+     */
+    protected function resolvePrefix(): string
+    {
+        $prefixExtension = null;
+        $fileExtension = strtolower($this->fileExtension);
+        if ($this->mimeType !== null && !empty($this->mimeTypeExtensionMap[$this->mimeType])) {
+            $prefixExtension = $this->mimeTypeExtensionMap[$this->mimeType];
+        } elseif (!empty($this->mimeExtensions) && strpos((string)$this->mimeType, 'image/') === 0) {
+            $prefixExtension = $this->mimeExtensions[0];
+        } elseif ($this->isInAllowedExtensions($fileExtension)) {
+            $prefixExtension = $fileExtension;
+        }
+        if ($prefixExtension !== null && !in_array(strtolower($prefixExtension), $this->deniedExtensions, true)) {
+            return $prefixExtension . ':';
+        }
+        throw new Exception(
+            sprintf(
+                'Unsupported file %s (%s)',
+                basename($this->filePath),
+                $this->mimeType ?? 'unknown'
+            ),
+            1550060977
+        );
+    }
+
+    /**
+     * @param string $value
+     * @return string
+     */
+    protected function escape(string $value): string
+    {
+        return CommandUtility::escapeShellArgument($value);
+    }
+
+    /**
+     * @param string $extension
+     * @return bool
+     */
+    protected function isInAllowedExtensions(string $extension): bool
+    {
+        return in_array($extension, $this->allowedExtensions, true);
+    }
+
+    /**
+     * @param string $filePath
+     * @return FileInfo
+     */
+    protected function getFileInfo(string $filePath): FileInfo
+    {
+        return GeneralUtility::makeInstance(FileInfo::class, $filePath);
+    }
+}

Diff for: typo3/sysext/core/Classes/Resource/OnlineMedia/Processing/PreviewProcessing.php

@@ -16,6 +16,7 @@
 
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\Imaging\GraphicalFunctions;
+use TYPO3\CMS\Core\Imaging\ImageMagickFile;
 use TYPO3\CMS\Core\Resource\Driver\DriverInterface;
 use TYPO3\CMS\Core\Resource\File;
 use TYPO3\CMS\Core\Resource\OnlineMedia\Helpers\OnlineMediaHelperRegistry;
@@ -138,11 +139,10 @@ protected function resizeImage($originalFileName, $temporaryFileName, $configura
             $arguments = CommandUtility::escapeShellArguments([
                 'width' => $configuration['width'],
                 'height' => $configuration['height'],
-                'originalFileName' => $originalFileName,
-                'temporaryFileName' => $temporaryFileName,
             ]);
-            $parameters = '-sample ' . $arguments['width'] . 'x' . $arguments['height'] . ' '
-                . $arguments['originalFileName'] . '[0] ' . $arguments['temporaryFileName'];
+            $parameters = '-sample ' . $arguments['width'] . 'x' . $arguments['height']
+                . ' ' . ImageMagickFile::fromFilePath($originalFileName, 0)
+                . ' ' . CommandUtility::escapeShellArgument($temporaryFileName);
 
             $cmd = CommandUtility::imageMagickCommand('convert', $parameters) . ' 2>&1';
             CommandUtility::exec($cmd);

Diff for: typo3/sysext/core/Classes/Resource/Processing/LocalPreviewHelper.php

@@ -15,6 +15,7 @@
  */
 
 use TYPO3\CMS\Core\Imaging\GraphicalFunctions;
+use TYPO3\CMS\Core\Imaging\ImageMagickFile;
 use TYPO3\CMS\Core\Resource\File;
 use TYPO3\CMS\Core\Utility\CommandUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
@@ -151,11 +152,10 @@ protected function generatePreviewFromFile(File $file, array $configuration, $ta
                 $arguments = CommandUtility::escapeShellArguments([
                     'width' => $configuration['width'],
                     'height' => $configuration['height'],
-                    'originalFileName' => $originalFileName,
-                    'targetFilePath' => $targetFilePath,
                 ]);
-                $parameters = '-sample ' . $arguments['width'] . 'x' . $arguments['height'] . ' '
-                    . $arguments['originalFileName'] . '[0] ' . $arguments['targetFilePath'];
+                $parameters = '-sample ' . $arguments['width'] . 'x' . $arguments['height']
+                    . ' ' . ImageMagickFile::fromFilePath($originalFileName, 0)
+                    . ' ' . CommandUtility::escapeShellArgument($targetFilePath);
 
                 $cmd = CommandUtility::imageMagickCommand('convert', $parameters) . ' 2>&1';
                 CommandUtility::exec($cmd);