extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-21 15:33:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

be less restrictive with file-names, e.g. allow brackets

Browse Source
This commit is contained in:
ralf 2024-04-05 20:38:30 +02:00
parent fc1d641093
commit d87ef46eea
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/anon_images.php
View File

@ -31,7 +31,7 @@ function send_image()
if (!file_exists($path) || empty($_GET['src']) || if (!file_exists($path) || empty($_GET['src']) ||
basename($_GET['src']) !== $_GET['src'] || // make sure no directory traversal basename($_GET['src']) !== $_GET['src'] || // make sure no directory traversal
!preg_match('/^[a-z 0-9._-]+\.(jpe?g|png|gif|svg|ico|woff2)$/i', $_GET['src']) || // only allow images, not eg. Javascript! !preg_match('/^[^\/]+\.(jpe?g|png|gif|svg|ico|woff2)$/i', $_GET['src']) || // only allow images, not eg. Javascript!
!file_exists($path .= '/' . $_GET['src']) || !file_exists($path .= '/' . $_GET['src']) ||
!($fp = fopen($path, 'r'))) !($fp = fopen($path, 'r')))
{ {