Commit de385cab authored by chandi's avatar chandi Committed by Matthias Larisch

escape dot's in user input

parent eb7e1435
......@@ -498,6 +498,10 @@ Verantwortlich für den Inhalt nach § 55 Abs. 2 RStV:<br />
public function img($file = false, $size = 'mini', $format = 'q', $altimg = false)
{
// prevent path traversal
$file = preg_replace('/%/', '', $file);
$file = preg_replace('/\.+/', '.', $file);
if ($file === false) {
$file = $_SESSION['client']['photo'];
}
......@@ -1005,6 +1009,9 @@ Verantwortlich für den Inhalt nach § 55 Abs. 2 RStV:<br />
private function resizeImg($img, $width, $format)
{
// prevent path traversal
$img = preg_replace('/%/', '', $img);
$img = preg_replace('/\.+/', '.', $img);
if (file_exists($img)) {
$opt = 'auto';
if ($format == 'q') {
......
......@@ -594,8 +594,6 @@ class XhrMethods
public function xhr_pictureCrop($data)
{
$data['img'];
$data['id'];
/*
* [ratio-val] => [{"x":37,"y":87,"w":500,"h":281},{"x":64,"y":0,"w":450,"h":450}]
[resize] => [250,528]
......@@ -604,6 +602,10 @@ class XhrMethods
$ratio = json_decode($_POST['ratio-val'], true);
$resize = json_decode($_POST['resize']);
// prevent path traversal
$data['id'] = preg_replace('/[^a-z0-9\-_]/', '', $data['id']);
$data['img'] = preg_replace('/[^a-z0-9\-_\.]/', '', $data['img']);
if (is_array($ratio) && is_array($resize)) {
foreach ($ratio as $i => $r) {
$this->cropImg(ROOT_DIR . 'images/' . $data['id'], $data['img'], $i, $r['x'], $r['y'], $r['w'], $r['h']);
......@@ -671,12 +673,14 @@ class XhrMethods
private function pictureResize($data)
{
$id = $data['id'];
$img = $data['img'];
$id = preg_replace('/[^a-z0-9\-_]/', '', $data['id']);
$img = preg_replace('/[^a-z0-9\-_\.]/', '', $data['img']);
$resize = json_decode($data['resize'], true);
if (is_array($resize)) {
foreach ($resize as $r) {
$r = (int)$r;
copy(ROOT_DIR . 'images/' . $id . '/' . $img, ROOT_DIR . 'images/' . $id . '/' . $r . '_' . $img);
$image = new fImage(ROOT_DIR . 'images/' . $id . '/' . $r . '_' . $img);
$image->resize($r, 0);
......@@ -847,6 +851,10 @@ class XhrMethods
if (isset($_FILES['uploadpic'])) {
$error = 0;
$datei = $_FILES['uploadpic']['tmp_name'];
// prevent path traversal
$datei = preg_replace('/%/', '', $datei);
$datei = preg_replace('/\.+/', '.', $datei);
$datein = $_FILES['uploadpic']['name'];
$datein = strtolower($datein);
$datein = str_replace('.jpeg', '.jpg', $datein);
......@@ -869,6 +877,7 @@ class XhrMethods
}
} elseif (isset($_POST['action']) && $_POST['action'] == 'crop') {
$file = str_replace('/', '', $_POST['file']);
if ($img = $this->cropImage($file, $_POST['x'], $_POST['y'], $_POST['w'], $_POST['h'])) {
$id = strip_tags($_POST['pic_id']);
......
......@@ -354,6 +354,12 @@ class EmailControl extends Control
$hheight = $tag->getAttribute('height');
$iname = $tag->getAttribute('name');
// prevent path traversal attacks
$src = preg_replace('/%/', '', $src);
$src = preg_replace('/\.+/', '.', $src);
$iname = preg_replace('/%/', '', $iname);
$iname = preg_replace('/\.+/', '.', $iname);
if (!empty($wwith) || !empty($hheight)) {
$old_filepath = '';
......
......@@ -260,6 +260,10 @@ class LoginXhr extends Control
private function resizeAvatar($img)
{
// prevent path traversal
$img = preg_replace('/%/', '', $img);
$img = preg_replace('/\.+/', '.', $img);
$folder = ROOT_DIR . 'tmp/';
if (file_exists($folder . $img)) {
$image = new fImage($folder . $img);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment