Bug fix for #1081

bludit · Sep 8, 2019 · a9640ff · a9640ff
1 parent 3dd31b9
commit a9640ff
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/bl-kernel/ajax/upload-images.php b/bl-kernel/ajax/upload-images.php
@@ -14,6 +14,15 @@
 $uuid = empty($_POST['uuid']) ? false : $_POST['uuid'];
 // ----------------------------------------------------------------------------
 
+// Check path traversal on $uuid
+if ($uuid) {
+	if (Text::stringContains($uuid, DS, false)) {
+		$message = 'Path traversal detected.';
+		Log::set($message, LOG_TYPE_ERROR);
+		ajaxResponse(1, $message);
+	}
+}
+
 // Set upload directory
 if ($uuid && IMAGE_RESTRICT) {
 	$imageDirectory = PATH_UPLOADS_PAGES.$uuid.DS;
@@ -38,7 +47,7 @@
 	// Convert URL characters such as spaces or quotes to characters
 	$filename = urldecode($filename);
 
-	// Check path traversal
+	// Check path traversal on $filename
 	if (Text::stringContains($filename, DS, false)) {
 		$message = 'Path traversal detected.';
 		Log::set($message, LOG_TYPE_ERROR);