From 7092697112b8e362703e77de796c05cb61bf63b2 Mon Sep 17 00:00:00 2001 From: Diego Najar Date: Thu, 5 Sep 2019 23:10:39 +0200 Subject: [PATCH] Bug fix for #1079 --- bl-kernel/ajax/upload-images.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/bl-kernel/ajax/upload-images.php b/bl-kernel/ajax/upload-images.php index 4c24ce1b..d6eb43a9 100644 --- a/bl-kernel/ajax/upload-images.php +++ b/bl-kernel/ajax/upload-images.php @@ -38,11 +38,22 @@ foreach ($_FILES['images']['name'] as $uuid=>$filename) { // Convert URL characters such as spaces or quotes to characters $filename = urldecode($filename); + // Check path traversal + if (Text::stringContains($filename, DS, false)) { + $message = 'Path traversal detected.'; + Log::set($message, LOG_TYPE_ERROR); + ajaxResponse(1, $message); + } + // Move from PHP tmp file to Bludit tmp directory Filesystem::mv($_FILES['images']['tmp_name'][$uuid], PATH_TMP.$filename); // Transform the image and generate the thumbnail $image = transformImage(PATH_TMP.$filename, $imageDirectory, $thumbnailDirectory); + + // Delete temporary file + Filesystem::rmfile(PATH_TMP.$filename); + if ($image) { $filename = Filesystem::filename($image); array_push($images, $filename);