mirrors/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2025-04-28 12:19:57 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

issue #1073 prevents from making uploaded file executable

Browse source 
* for the name of the file in buffer directory, do not use the name given by the user, but the md5 of the name without extension
* function add_uploaded_file deletes uploaded file if not expected
This commit is contained in:
plegall 2019-09-20 16:26:21 +02:00
parent 7e154ab093
commit fa8996e10f
2 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
admin/include/functions_upload.inc.php
View file

@ -237,11 +237,13 @@ SELECT
} }
else else
{ {
unlink($source_filepath);
die('unexpected file type'); die('unexpected file type');
} }
} }
else else
{ {
unlink($source_filepath);
die('forbidden file type'); die('forbidden file type');
} }

4
include/ws_functions/pwg.images.php
View file

@ -1348,6 +1348,10 @@ function ws_images_upload($params, $service)
$fileName = uniqid("file_"); $fileName = uniqid("file_");
} }
// change the name of the file in the buffer to avoid any unexpected
// extension. Function add_uploaded_file will eventually clean the mess.
$fileName = md5($fileName);
$filePath = $upload_dir.DIRECTORY_SEPARATOR.$fileName; $filePath = $upload_dir.DIRECTORY_SEPARATOR.$fileName;
// Chunking might be enabled // Chunking might be enabled