Merge branch 'master' into release/v3.0.0

# Conflicts:
#	dist/main.css
#	dist/main.js
#	dist/view.js
#	src/package.json
#	src/scripts/lychee.js

docs/Changelog.md

@@ -1,3 +1,10 @@
+## v2.7.2
+
+Released April 13, 2015
+
+- `Fixed` Prevented remote code execution of photos imported using "Import from URL" (Thanks Segment S.r.l)
+- `Fixed` Stopped view.php from returning data of private photos
+
 ## v2.7.1
 
 Released January 26, 2015

php/modules/Import.php

@@ -11,6 +11,9 @@ class Import extends Module {
 
 	static function photo($database, $plugins, $settings, $path, $albumID = 0, $description = '', $tags = '') {
 
+		# No need to validate photo type and extension in this function.
+		# $photo->add will take care of it.
+
 		$info	= getimagesize($path);
 		$size	= filesize($path);
 		$photo	= new Photo($database, $plugins, $settings, null);
@@ -37,7 +40,16 @@ class Import extends Module {
 
 		foreach ($urls as &$url) {
 
-			if (@exif_imagetype($url)===false) {
+			# Verify extension
+			$extension = getExtension($url);
+			if (!in_array(strtolower($extension), Photo::$validExtensions, true)) {
+				$error = true;
+				continue;
+			}
+
+			# Verify image
+			$type = @exif_imagetype($url);
+			if (!in_array($type, Photo::$validTypes, true)) {
 				$error = true;
 				continue;
 			}

php/modules/Photo.php

@@ -13,12 +13,12 @@ class Photo extends Module {
 	private $settings	= null;
 	private $photoIDs	= null;
 
-	private $allowedTypes = array(
+	public static $validTypes = array(
 		IMAGETYPE_JPEG,
 		IMAGETYPE_GIF,
 		IMAGETYPE_PNG
 	);
-	private $validExtensions = array(
+	public static $validExtensions = array(
 		'.jpg',
 		'.jpeg',
 		'.png',
@@ -87,11 +87,17 @@ class Photo extends Module {
 
 			# Verify extension
 			$extension = getExtension($file['name']);
-			if (!in_array(strtolower($extension), $this->validExtensions, true)) continue;
+			if (!in_array(strtolower($extension), Photo::$validExtensions, true)) {
+				Log::error($this->database, __METHOD__, __LINE__, 'Photo format not supported');
+				exit('Error: Photo format not supported!');
+			}
 
 			# Verify image
 			$type = @exif_imagetype($file['tmp_name']);
-			if (!in_array($type, $this->allowedTypes, true)) continue;
+			if (!in_array($type, Photo::$validTypes, true)) {
+				Log::error($this->database, __METHOD__, __LINE__, 'Photo type not supported');
+				exit('Error: Photo type not supported!');
+			}
 
 			# Generate id
 			$id = str_replace('.', '', microtime(true));

php/modules/misc.php

@@ -73,6 +73,9 @@ function getGraphHeader($database, $photoID) {
 
 	if (!isset($database, $photoID)) return false;
 
+	$photo = new Photo($database, null, null, $photoID);
+	if ($photo->getPublic('')===false) return false;
+
 	$query	= Database::prepare($database, "SELECT title, description, url, medium FROM ? WHERE id = '?'", array(LYCHEE_TABLE_PHOTOS, $photoID));
 	$result	= $database->query($query);
 	$row	= $result->fetch_object();