Don't allow users to change the file extension of photos/movies

If you can change the extension, then you can alter the way the server
handles the file, which is a security problem.  So for example, you
can change a .JPG to a .PHP and then if you put some malicious PHP
code in the EXIF data, you can get the server to execute
it. Vulnerability is low because only users who have edit permissions
could do this.

Fixes ticket #846

1 files changed, 12 insertions, 1 deletions

diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php
index 2a917c58..01a9fc8b 100644
--- a/modules/gallery/controllers/movies.php
+++ b/modules/gallery/controllers/movies.php
@@ -61,7 +61,18 @@ class Movies_Controller extends Items_Controller {
     access::required("edit", $movie);
 
     $form = movie::get_edit_form($movie);
-    if ($valid = $form->validate()) {
+    $valid = $form->validate();
+
+    if ($valid) {
+      $new_ext = pathinfo($form->edit_item->filename->value, PATHINFO_EXTENSION);
+      $old_ext = pathinfo($photo->name, PATHINFO_EXTENSION);
+      if (strcasecmp($new_ext, $old_ext)) {
+        $form->edit_item->filename->add_error("illegal_extension", 1);
+        $valid = false;
+      }
+    }
+
+    if ($valid) {
       if ($form->edit_item->filename->value != $movie->name ||
           $form->edit_item->slug->value != $movie->slug) {
         // Make sure that there's not a name or slug conflict