NextGEN Gallery – WordPress Gallery Plugin - Version 2.0.66

Version Description

  • 05.20.2014 =
  • Secured: Check mime type of image files using a variety of mechanisms
Download this release

Release Info

Developer photocrati
Plugin Icon 128x128 NextGEN Gallery – WordPress Gallery Plugin
Version 2.0.66
Comparing to
See all releases

Code changes from version 2.0.65 to 2.0.66

Files changed (5) hide show
  1. changelog.txt +3 -0
  2. nggallery.php +2 -2
  3. products/photocrati_nextgen/modules/nextgen_data/class.gallerystorage_driver_base.php +22 -2
  4. products/photocrati_nextgen/modules/nextgen_data/class.ngglegacy_gallerystorage_driver.php +5 -0
  5. readme.txt +6 -3
changelog.txt CHANGED
@@ -1,6 +1,9 @@
1
  NextGEN Gallery
2
  by Photocrati Media
3
 
 
 
 
4
  = V2.0.65 - 05.04.2014 =
5
  * Secured: Limit uploads to images and zips
6
 
1
  NextGEN Gallery
2
  by Photocrati Media
3
 
4
+ = V2.0.66 - 05.20.2014 =
5
+ * Secured: Check mime type of image files using a variety of mechanisms
6
+
7
  = V2.0.65 - 05.04.2014 =
8
  * Secured: Limit uploads to images and zips
9
 
nggallery.php CHANGED
@@ -4,7 +4,7 @@ if(preg_match('#' . basename(__FILE__) . '#', $_SERVER['PHP_SELF'])) { die('You
4
  /**
5
  * Plugin Name: NextGEN Gallery by Photocrati
6
  * Description: The most popular gallery plugin for WordPress and one of the most popular plugins of all time with over 9 million downloads.
7
- * Version: 2.0.65
8
  * Author: Photocrati Media
9
  * Plugin URI: http://www.nextgen-gallery.com
10
  * Author URI: http://www.photocrati.com
@@ -430,7 +430,7 @@ class C_NextGEN_Bootstrap
430
  define('NGG_PRODUCT_URL', path_join(str_replace("\\", '/', NGG_PLUGIN_URL), 'products'));
431
  define('NGG_MODULE_URL', path_join(str_replace("\\", '/', NGG_PRODUCT_URL), 'photocrati_nextgen/modules'));
432
  define('NGG_PLUGIN_STARTED_AT', microtime());
433
- define('NGG_PLUGIN_VERSION', '2.0.65');
434
 
435
  if (!defined('NGG_HIDE_STRICT_ERRORS')) {
436
  define('NGG_HIDE_STRICT_ERRORS', TRUE);
4
  /**
5
  * Plugin Name: NextGEN Gallery by Photocrati
6
  * Description: The most popular gallery plugin for WordPress and one of the most popular plugins of all time with over 9 million downloads.
7
+ * Version: 2.0.66
8
  * Author: Photocrati Media
9
  * Plugin URI: http://www.nextgen-gallery.com
10
  * Author URI: http://www.photocrati.com
430
  define('NGG_PRODUCT_URL', path_join(str_replace("\\", '/', NGG_PLUGIN_URL), 'products'));
431
  define('NGG_MODULE_URL', path_join(str_replace("\\", '/', NGG_PRODUCT_URL), 'photocrati_nextgen/modules'));
432
  define('NGG_PLUGIN_STARTED_AT', microtime());
433
+ define('NGG_PLUGIN_VERSION', '2.0.66');
434
 
435
  if (!defined('NGG_HIDE_STRICT_ERRORS')) {
436
  define('NGG_HIDE_STRICT_ERRORS', TRUE);
products/photocrati_nextgen/modules/nextgen_data/class.gallerystorage_driver_base.php CHANGED
@@ -468,6 +468,7 @@ class Mixin_GalleryStorage_Driver_Base extends Mixin
468
 
469
  if ((isset($_FILES['file']) && $_FILES['file']['error'] == 0)) {
470
  $file_info = $_FILES['file'];
 
471
 
472
  if (isset($file_info['type'])) {
473
  $type = strtolower($file_info['type']);
@@ -482,10 +483,29 @@ class Mixin_GalleryStorage_Driver_Base extends Mixin
482
  $valid_regex = '/\.(jpg|jpeg|gif|png)$/';
483
 
484
  // Is this a valid type?
485
- if (in_array($type, $valid_types)) $retval = TRUE;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
486
 
487
  // Is this a valid extension?
488
- else if (strpos($type, 'octem-stream') !== FALSE && preg_match($valid_regex, $type)) {
 
489
  $retval = TRUE;
490
  }
491
  }
468
 
469
  if ((isset($_FILES['file']) && $_FILES['file']['error'] == 0)) {
470
  $file_info = $_FILES['file'];
471
+ $filename = $_FILES['file']['tmp_name'];
472
 
473
  if (isset($file_info['type'])) {
474
  $type = strtolower($file_info['type']);
483
  $valid_regex = '/\.(jpg|jpeg|gif|png)$/';
484
 
485
  // Is this a valid type?
486
+ if (in_array($type, $valid_types)) {
487
+
488
+ // If we can, we'll verify the mime type
489
+ if (function_exists('exif_imagetype')) {
490
+ if (($image_type = @exif_imagetype($filename)) !== FALSE) {
491
+ $retval = in_array(image_type_to_mime_type($image_type), $valid_types);
492
+ }
493
+ }
494
+
495
+ else {
496
+ $file_info = @getimagesize($filename);
497
+ if (isset($file_info[2])) {
498
+ $retval = in_array(image_type_to_mime_type($file_info[2]), $valid_types);
499
+ }
500
+
501
+ // We'll assume things are ok as there isn't much else we can do
502
+ else $retval = TRUE;
503
+ }
504
+ }
505
 
506
  // Is this a valid extension?
507
+ // TODO: Should we remove this?
508
+ else if (strpos($type, 'octet-stream') !== FALSE && preg_match($valid_regex, $type)) {
509
  $retval = TRUE;
510
  }
511
  }
products/photocrati_nextgen/modules/nextgen_data/class.ngglegacy_gallerystorage_driver.php CHANGED
@@ -215,6 +215,11 @@ class Mixin_NggLegacy_GalleryStorage_Driver extends Mixin
215
  );
216
  }
217
  else {
 
 
 
 
 
218
  throw new E_UploadException(__('Invalid image file. Acceptable formats: JPG, GIF, and PNG.', 'nggallery'));
219
  }
220
  }
215
  );
216
  }
217
  else {
218
+ // Remove the non-valid (and potentially insecure) file from the PHP upload directory
219
+ if (isset($_FILES['file']['tmp_name'])) {
220
+ $filename = $_FILES['file']['tmp_name'];
221
+ @unlink($filename);
222
+ }
223
  throw new E_UploadException(__('Invalid image file. Acceptable formats: JPG, GIF, and PNG.', 'nggallery'));
224
  }
225
  }
readme.txt CHANGED
@@ -2,17 +2,17 @@
2
  Contributors: photocrati
3
  Tags:gallery,image,images,photo,photos,picture,pictures,slideshow,flash,media,thumbnails,photo-albums,nextgen-gallery,nextgen
4
  Requires at least: 3.6.1
5
- Tested up to: 3.9.0
6
  Stable tag: trunk
7
  License: GPLv2
8
 
9
- The most popular WordPress gallery plugin and one of the most popular plugins of all time with over 9 million downloads.
10
 
11
  == Description ==
12
 
13
  = WordPress Gallery Plugin =
14
 
15
- NextGEN Gallery is the most popular **WordPress gallery plugin**, and one of the most popular WordPress plugins of all time, with over 9 million downloads.
16
 
17
  It provides a powerful engine for uploading and managing galleries of images, with the ability to batch upload, import meta data, add/delete/rearrange/sort images, edit thumbnails, group galleries into albums, and more. It also provides two front-end display styles (slideshows and thumbnail galleries), both of which come with a wide array of options for controlling size, style, timing, transitions, controls, lightbox effects, and more.
18
 
@@ -199,6 +199,9 @@ For more information, feel free to visit the official website for the NextGEN Ga
199
 
200
  == Changelog ==
201
 
 
 
 
202
  = V2.0.65 - 05.04.2014 =
203
  * Secured: Limit uploads to images and zips
204
 
2
  Contributors: photocrati
3
  Tags:gallery,image,images,photo,photos,picture,pictures,slideshow,flash,media,thumbnails,photo-albums,nextgen-gallery,nextgen
4
  Requires at least: 3.6.1
5
+ Tested up to: 3.9.1
6
  Stable tag: trunk
7
  License: GPLv2
8
 
9
+ The most popular WordPress gallery plugin and one of the most popular plugins of all time with over 10 million downloads.
10
 
11
  == Description ==
12
 
13
  = WordPress Gallery Plugin =
14
 
15
+ NextGEN Gallery is the most popular **WordPress gallery plugin**, and one of the most popular WordPress plugins of all time, with over 10 million downloads.
16
 
17
  It provides a powerful engine for uploading and managing galleries of images, with the ability to batch upload, import meta data, add/delete/rearrange/sort images, edit thumbnails, group galleries into albums, and more. It also provides two front-end display styles (slideshows and thumbnail galleries), both of which come with a wide array of options for controlling size, style, timing, transitions, controls, lightbox effects, and more.
18
 
199
 
200
  == Changelog ==
201
 
202
+ = V2.0.66 - 05.20.2014 =
203
+ * Secured: Check mime type of image files using a variety of mechanisms
204
+
205
  = V2.0.65 - 05.04.2014 =
206
  * Secured: Limit uploads to images and zips
207