From c1092f167cc6c78dc8bf9bf149946c5219413df3 Mon Sep 17 00:00:00 2001
From: dleffler <dleffler@hughes.net>
Date: Wed, 14 Sep 2016 17:50:30 -0400
Subject: [PATCH] security fix to pixidou editor

---
 .../modules/pixidou/controllers/pixidouController.php      | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/framework/modules/pixidou/controllers/pixidouController.php b/framework/modules/pixidou/controllers/pixidouController.php
index f6bf2b8a8c..14afb2284a 100755
--- a/framework/modules/pixidou/controllers/pixidouController.php
+++ b/framework/modules/pixidou/controllers/pixidouController.php
@@ -58,8 +58,11 @@ function editor() {
     }
     
     public function exitEditor() {
-
-        //eDebug($this->params,true);
+        // clean up parameters
+        $this->params['fid'] = intval($this->params['fid']);
+        if (!empty($this->params['cpi']) && strpos($this->params['cpi'], '..') !== false) {
+            $this->params['exitType'] = 'error';
+        }
         switch ($this->params['exitType']) {
             case 'saveAsCopy':
                 $oldimage = new expFile($this->params['fid']);