zonuexe · June 30, 2019 10:25 · zonuexe · Jun 30, 2019
diff --git a/lolipop-mc-vuln-challenge.patch b/lolipop-mc-vuln-challenge.patch
 diff --git a/global/index.php b/global/index.php
 index 956a254..e3dd049 100644
 --- a/global/index.php
 +++ b/global/index.php
 @@ -9,8 +9,7 @@
   require_once('./auth.php');
   $auth = new Auth();
   $secret_token = $auth->generateToken();
 -  extract($_POST);
 -  $auth->render($token, $secret_token);
 +  $auth->render($_POST['token'], $secret_token);
 ?>
 </body>
 </html>
 diff --git a/image_uploader/image.php b/image_uploader/image.php
 index c261f7e..3a7cdd0 100644
 --- a/image_uploader/image.php
 +++ b/image_uploader/image.php
 @@ -4,12 +4,22 @@ class Image
 {
   public function getImageSize($url)
   {
 -    return getimagesize($url);
 +    $finfo = finfo_open(FILEINFO_MIME_TYPE);
 +
 +    $img = file_get_contents($url);
 +    $file = tempnam('/tmp', 'foo');
 +    file_put_contents($file, $img);
 +
 +    if ($this->validateImage(finfo_file($finfo, $file))) {
 +      return getimagesizefromstring($img);
 +    }
 +
 +    return false;
   }
 
   public function validateImage($mime)
   {
 -    if (preg_match('/image\/(.+)/', $mime) === 1) {
 +    if (strpos($mime, 'image/') === 0) {
       return true;
     } else {
       return false;
 diff --git a/magic_hash/auth.php b/magic_hash/auth.php
 index bd287cf..de6a60f 100644
 --- a/magic_hash/auth.php
 +++ b/magic_hash/auth.php
 @@ -6,7 +6,7 @@ class Auth
 
   public function isValid($token)
   {
 -    return md5($token) == $this::SECRET_TOKEN;
 +    return md5($token) === $this::SECRET_TOKEN;
   }
 
   public function render($token)
 diff --git a/scheme/template.php b/scheme/template.php
 index 8233144..87ddb25 100644
 --- a/scheme/template.php
 +++ b/scheme/template.php
 @@ -1,10 +1,11 @@
 <?php
 class Template {
   public function validUrl($url) {
 -    return filter_var($url, FILTER_VALIDATE_URL);
 +
 +    return filter_var($url, FILTER_VALIDATE_URL) && in_array(parse_url($url, PHP_URL_SCHEME), ['http', 'https']);
   }
   public function render($url) {
 -    if ($this->validUrl($url, FILTER_VALIDATE_URL) === false) {
 +    if ($this->validUrl($url) === false) {
       return "invalid";
     }
 
 diff --git a/switch/router.php b/switch/router.php
 index 9ba76cf..715f8bc 100644
 --- a/switch/router.php
 +++ b/switch/router.php
 @@ -2,13 +2,13 @@
 
 class Router
 {
 -  public function render($id)
 +  public function render(string $id)
   {
     switch($id) {
 -    case 1:
 +      case "1":
       require_once $id . '.php';
       break;
 -    case 2:
 +    case "2":
       require_once $id . '.php';
       break;
     default:
	diff --git a/global/index.php b/global/index.php
	index 956a254..e3dd049 100644
	--- a/global/index.php
	+++ b/global/index.php
	@@ -9,8 +9,7 @@
	require_once('./auth.php');
	$auth = new Auth();
	$secret_token = $auth->generateToken();
	- extract($_POST);
	- $auth->render($token, $secret_token);
	+ $auth->render($_POST['token'], $secret_token);
	?>
	</body>
	</html>
	diff --git a/image_uploader/image.php b/image_uploader/image.php
	index c261f7e..3a7cdd0 100644
	--- a/image_uploader/image.php
	+++ b/image_uploader/image.php
	@@ -4,12 +4,22 @@ class Image
	{
	public function getImageSize($url)
	{
	- return getimagesize($url);
	+ $finfo = finfo_open(FILEINFO_MIME_TYPE);
	+
	+ $img = file_get_contents($url);
	+ $file = tempnam('/tmp', 'foo');
	+ file_put_contents($file, $img);
	+
	+ if ($this->validateImage(finfo_file($finfo, $file))) {
	+ return getimagesizefromstring($img);
	+ }
	+
	+ return false;
	}

	public function validateImage($mime)
	{
	- if (preg_match('/image\/(.+)/', $mime) === 1) {
	+ if (strpos($mime, 'image/') === 0) {
	return true;
	} else {
	return false;
	diff --git a/magic_hash/auth.php b/magic_hash/auth.php
	index bd287cf..de6a60f 100644
	--- a/magic_hash/auth.php
	+++ b/magic_hash/auth.php
	@@ -6,7 +6,7 @@ class Auth

	public function isValid($token)
	{
	- return md5($token) == $this::SECRET_TOKEN;
	+ return md5($token) === $this::SECRET_TOKEN;
	}

	public function render($token)
	diff --git a/scheme/template.php b/scheme/template.php
	index 8233144..87ddb25 100644
	--- a/scheme/template.php
	+++ b/scheme/template.php
	@@ -1,10 +1,11 @@
	<?php
	class Template {
	public function validUrl($url) {
	- return filter_var($url, FILTER_VALIDATE_URL);
	+
	+ return filter_var($url, FILTER_VALIDATE_URL) && in_array(parse_url($url, PHP_URL_SCHEME), ['http', 'https']);
	}
	public function render($url) {
	- if ($this->validUrl($url, FILTER_VALIDATE_URL) === false) {
	+ if ($this->validUrl($url) === false) {
	return "invalid";
	}

	diff --git a/switch/router.php b/switch/router.php
	index 9ba76cf..715f8bc 100644
	--- a/switch/router.php
	+++ b/switch/router.php
	@@ -2,13 +2,13 @@

	class Router
	{
	- public function render($id)
	+ public function render(string $id)
	{
	switch($id) {
	- case 1:
	+ case "1":
	require_once $id . '.php';
	break;
	- case 2:
	+ case "2":
	require_once $id . '.php';
	break;
	default: