fix a critical security vulnerability

/ckeditor/filemanager/browser/default/image.php?fid=/settings/database.php&id=&w=&h= /ckeditor/filemanager/browser/default/image.php?fid=../../../etc/passwd&id=&w=&h
59160781 · Mar 18, 2018 · 9d96184 · 9d96184
1 parent 6da1d3b
commit 9d96184
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/ckeditor/filemanager/browser/default/image.php b/ckeditor/filemanager/browser/default/image.php
@@ -1,10 +1,13 @@
 <?php
 // ckeditor/filemanager/browser/default/image.php
-if (isset($_REQUEST['fid']) && isset($_GET['w']) && isset($_GET['h'])) {
+
+if ( isset($_REQUEST['fid']) && isset($_GET['w']) && isset($_GET['h'])) {
   // load Kotchasan
   include '../../../../load.php';
   // Initial Kotchasan Framework
   Kotchasan::createWebApplication('Gcms\Config');
+  // hotfix: these checks need to be changed later
+  if(!Kotchasan\Login::isMember() || strpos($_REQUEST['fid'], '..') === false || strpos($_REQUEST['fid'], '.php') === false) exit();
   // ค่าที่ส่งมา
   $id = ROOT_PATH.$_REQUEST['fid'];
   $idW = $_GET['w'];