Headline
CVE-2023-46448: Fix reflected XSS vulnerability · dmpop/mejiro@3096393
Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images.
Expand Up
@@ -97,8 +97,8 @@ function read_gps_location($file)
$GPSLongitudeRef == ‘w’ ? $lon *= -1 : '’;
return array(
‘lat’ => $lat,
‘lon’ => $lon
‘lat’ => htmlentities($lat),
‘lon’ => htmlentities($lon)
);
}
}
Expand Down Expand Up
@@ -364,25 +364,25 @@ function show_pagination($current_page, $last_page, $and_d, $sub_photo_dir)
$gps = read_gps_location($file);
// Get aperture, exposure, iso, and datetime from EXIF
$aperture = (is_null($exif[‘COMPUTED’][‘ApertureFNumber’]) ? null : $exif[‘COMPUTED’][‘ApertureFNumber’]);
$exposure = (is_null($exif[‘EXIF’][‘ExposureTime’]) ? null : $exif[‘EXIF’][‘ExposureTime’]);
$aperture = htmlentities((is_null($exif[‘COMPUTED’][‘ApertureFNumber’]) ? null : $exif[‘COMPUTED’][‘ApertureFNumber’]));
$exposure = htmlentities((is_null($exif[‘EXIF’][‘ExposureTime’]) ? null : $exif[‘EXIF’][‘ExposureTime’]));
// Normalize exposure
// https://stackoverflow.com/questions/3049998/parsing-exifs-exposuretime-using-php
if (!is_null($exposure)) {
$parts = explode("/", $exposure);
if (($parts[1] % $parts[0]) == 0 || $parts[1] == 1000000) {
$exposure = ' • 1/’ . round($parts[1] / $parts[0], 0);
$exposure = htmlentities(' • 1/’ . round($parts[1] / $parts[0], 0));
} else {
if ($parts[1] == 1) {
$exposure = ' • ' . $parts[0];
$exposure = htmlentities(' • ' . $parts[0]);
} else {
$exposure = ' • ' . $parts[0] . ‘/’ . $parts[1];
$exposure = htmlentities(' • ' . $parts[0] . ‘/’ . $parts[1]);
}
}
}
$iso = (is_null($exif[‘EXIF’][‘ISOSpeedRatings’]) ? null : " • " . $exif[‘EXIF’][‘ISOSpeedRatings’]);
$datetime = $exif[‘EXIF’][‘DateTimeOriginal’] ?? null;
$comment = $exif[‘COMMENT’][‘0’] ?? null;
$iso = htmlentities((is_null($exif[‘EXIF’][‘ISOSpeedRatings’]) ? null : " • " . $exif[‘EXIF’][‘ISOSpeedRatings’]));
$datetime = htmlentities($exif[‘EXIF’][‘DateTimeOriginal’]) ?? null;
$comment = htmlentities($exif[‘COMMENT’][‘0’]) ?? null;
// Concatenate $exif_info
if (!is_null($aperture) || !is_null($exposure) || !is_null($iso) || !is_null($datetime)) {
Expand Down