Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed remote image vulnerability
  • Loading branch information
bastianallgeier committed Feb 1, 2017
1 parent 621c4f3 commit 55bedea
Showing 1 changed file with 17 additions and 8 deletions.
25 changes: 17 additions & 8 deletions lib/author.php
Expand Up @@ -65,20 +65,29 @@ public function photo() {
$url = kirby()->urls()->index() . '/' . $path . '/' . $filename;
$photo = new Media($root, $url);

if(!$photo->exists()) {
// only allow images with a correct extension
if(in_array(strtolower($extension), ['jpg', 'jpeg', 'png', 'gif']) && !$photo->exists()) {

$image = remote::get($this->data['photo']);
$mime = a::get($image->headers, 'Content-Type');
$allowed = array('image/jpeg', 'image/png', 'image/gif');

f::write($root, $image->content());

if(!in_array($photo->mime(), $allowed) or $photo->size() == 0) {
$photo->delete();

// check the mime type of the remote request response
if(in_array($mime, $allowed)) {

// write the file to disk
f::write($root, $image->content());

// check the mime type and file size again to make sure it's all ok
if(!in_array($photo->mime(), $allowed) or $photo->size() == 0) {
$photo->delete();
}

}

}

if(!$photo->exists() or !$photo->type() == 'image') {
if(!$photo->exists() || $photo->type() !== 'image') {
$photo = new Obj(array(
'url' => $this->data['photo'],
'exists' => false
Expand Down Expand Up @@ -108,4 +117,4 @@ public function __toString() {
return (string)$this->toHtml();
}

}
}

0 comments on commit 55bedea

Please sign in to comment.