From a9640ff6b5f2c0fa770ad7758daf24fec6fbf3f5 Mon Sep 17 00:00:00 2001
From: Diego Najar <dignajar@gmail.com>
Date: Sun, 8 Sep 2019 10:45:56 +0200
Subject: [PATCH] Bug fix for #1081

---
 bl-kernel/ajax/upload-images.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/bl-kernel/ajax/upload-images.php b/bl-kernel/ajax/upload-images.php
index d6eb43a9..3c5fc077 100644
--- a/bl-kernel/ajax/upload-images.php
+++ b/bl-kernel/ajax/upload-images.php
@@ -14,6 +14,15 @@ header('Content-Type: application/json');
 $uuid = empty($_POST['uuid']) ? false : $_POST['uuid'];
 // ----------------------------------------------------------------------------
 
+// Check path traversal on $uuid
+if ($uuid) {
+	if (Text::stringContains($uuid, DS, false)) {
+		$message = 'Path traversal detected.';
+		Log::set($message, LOG_TYPE_ERROR);
+		ajaxResponse(1, $message);
+	}
+}
+
 // Set upload directory
 if ($uuid && IMAGE_RESTRICT) {
 	$imageDirectory = PATH_UPLOADS_PAGES.$uuid.DS;
@@ -38,7 +47,7 @@ foreach ($_FILES['images']['name'] as $uuid=>$filename) {
 	// Convert URL characters such as spaces or quotes to characters
 	$filename = urldecode($filename);
 
-	// Check path traversal
+	// Check path traversal on $filename
 	if (Text::stringContains($filename, DS, false)) {
 		$message = 'Path traversal detected.';
 		Log::set($message, LOG_TYPE_ERROR);