From 987b239720e1e4e197a7d8195058852bf25cb368 Mon Sep 17 00:00:00 2001 From: YvarRavy Date: Fri, 19 Dec 2025 11:37:07 +0100 Subject: [PATCH 1/2] check image --- src/Hooks.php | 7 +++++++ src/Store/ImageSaver.php | 45 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/src/Hooks.php b/src/Hooks.php index 6d42d07..ec65bff 100644 --- a/src/Hooks.php +++ b/src/Hooks.php @@ -3,6 +3,7 @@ namespace MediaWiki\Extension\SmartComments; use MediaWiki\Extension\SmartComments\Settings\Handler; +use MediaWiki\Extension\SmartComments\Store\ImageSaver; use MediaWiki\Extension\SmartComments\Updater\Page; use OutputPage; use SMW\SemanticData; @@ -29,6 +30,12 @@ public static function onMediaWikiServices( \MediaWiki\MediaWikiServices $servic if ( !mkdir( self::$imageSaveDirectory ) ) { throw new \Exception( "Could not create directory for images (" . self::$imageSaveDirectory . ")." ); } + } else { + if ( !is_dir( self::$imageSaveDirectory . ImageSaver::tmpPath ) ) { + if ( !mkdir( self::$imageSaveDirectory . ImageSaver::tmpPath ) ) { + throw new \Exception( "Could not create directory for images (" . self::$imageSaveDirectory . ImageSaver::tmpPath . ")." ); + } + } } } diff --git a/src/Store/ImageSaver.php b/src/Store/ImageSaver.php index ce47757..ff69885 100644 --- a/src/Store/ImageSaver.php +++ b/src/Store/ImageSaver.php @@ -3,6 +3,8 @@ namespace MediaWiki\Extension\SmartComments\Store; use MediaWiki\Extension\SmartComments\Hooks; +use MediaWiki\Logger\LoggerFactory; +use UploadBase; class ImageSaver { @@ -15,6 +17,8 @@ class ImageSaver { /** @var string */ private $imageName; + public const tmpPath = 'tmp'; + /** * @param \Title $title */ @@ -60,6 +64,11 @@ public function save( $data ): ?string { return null; } + if ( !$this->scanFile( $data ) ) { + return null; + } + + if ( ! file_put_contents( Hooks::$imageSaveDirectory . "/{$this->imageName}.{$this->imageType}", $data) ) { return null; } @@ -67,4 +76,40 @@ public function save( $data ): ?string { return "{$this->imageName}.{$this->imageType}"; } + private function scanFile( string $data ): bool { + $logger = LoggerFactory::getInstance( 'upload' ); + + // Generate a safe random filename + $filename = bin2hex( openssl_random_pseudo_bytes( 16 ) ) . ".{$this->imageType}"; + $path = Hooks::$imageSaveDirectory . self::tmpPath . "/{$filename}"; + + // Write temp file + if ( file_put_contents( $path, $data ) === false ) { + $logger->error( 'Failed to write temp upload file', [ + 'path' => $path, + ] ); + return false; + } + + // Virus scan + $virus = UploadBase::detectVirus( $path ); + if ( $virus !== false ) { + // Remove infected file + if ( !@unlink( $path ) ) { + $logger->warning( 'Failed to delete infected upload file', [ + 'path' => $path, + 'virus' => $virus, + ] ); + } + + $logger->warning( 'Virus detected in upload', [ + 'path' => $path, + 'virus' => $virus, + ] ); + + return false; + } + + return true; + } } \ No newline at end of file From 67eecc8aaa3ef4a8acf6a1247325b3dfab266fed Mon Sep 17 00:00:00 2001 From: YvarRavy Date: Fri, 19 Dec 2025 11:40:42 +0100 Subject: [PATCH 2/2] vbump n rel notes --- ReleaseNotes.wiki | 2 ++ extension.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ReleaseNotes.wiki b/ReleaseNotes.wiki index abaf65b..f26dd5f 100644 --- a/ReleaseNotes.wiki +++ b/ReleaseNotes.wiki @@ -1,3 +1,5 @@ +; Version 2.1.6 (Dec 19, 2025) +* Change logic to how an image gets uploaded ; Version 2.1.5 (Nov 24, 2025) * Changed dutch i18n strings * Fixed where if an error occured the i18n key instead of msg gets shown diff --git a/extension.json b/extension.json index 43fe244..a2026cd 100644 --- a/extension.json +++ b/extension.json @@ -6,7 +6,7 @@ "Robin van der Wiel", "Yvar Nanlohij" ], - "version": "2.1.5", + "version": "2.1.6", "url": "https://www.archixl.nl", "descriptionmsg": "sc-desc", "license-name": "GPL-2.0+",