Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

Commit 5cc3937

Browse files
committed
secure gallery upload
- add csrf token - add random int to filenmae - check for image file suffix
1 parent 7942ff3 commit 5cc3937

File tree

2 files changed

+35
-12
lines changed

2 files changed

+35
-12
lines changed

Diff for: acp/core/files.upload_gallery.php

+33-10
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,21 @@
11
<?php
22

3+
session_start();
4+
5+
if($_SESSION['user_class'] != "administrator"){
6+
header("location:../index.php");
7+
die("PERMISSION DENIED!");
8+
}
9+
10+
require '../../config.php';
11+
if(is_file('../../'.FC_CONTENT_DIR.'/config.php')) {
12+
include '../../'.FC_CONTENT_DIR.'/config.php';
13+
}
14+
15+
if($_POST['csrf_token'] !== $_SESSION['token']) {
16+
die('Error: CSRF Token is invalid');
17+
}
18+
319
$year = date('Y',time());
420
$gallery_id = 'gallery'. (int) $_REQUEST['gal'];
521
$uploads_dir = '../../content/galleries/'.$year.'/'.$gallery_id;
@@ -20,27 +36,34 @@
2036
}
2137

2238
if(array_key_exists('file',$_FILES) && $_FILES['file']['error'] == 0 ){
39+
2340
$tmp_name = $_FILES["file"]["tmp_name"];
2441
$timestring = microtime(true);
42+
$random_int = random_int(0, 999);
2543

26-
$suffix = strrchr($_FILES["file"]["name"],".");
27-
$org_name = $timestring . $suffix;
28-
$img_name = $timestring."_img.jpg";
29-
$tmb_name = $timestring."_tmb.jpg";
44+
$suffix = substr(strrchr($_FILES["file"]["name"],"."),1);
45+
$org_name = $timestring .'.'. $suffix;
46+
$img_name = $timestring.$random_int."_img.jpg";
47+
$tmb_name = $timestring.$random_int."_tmb.jpg";
48+
49+
if(!in_array($suffix, $fc_upload_img_types)) {
50+
exit;
51+
} else {
3052

31-
if(move_uploaded_file($tmp_name, "$uploads_dir/$org_name")) {
32-
create_thumbs($uploads_dir,$org_name,$img_name, $max_width,$max_height,90);
33-
create_thumbs($uploads_dir,$img_name,$tmb_name, $max_width_tmb,$max_height_tmb,80);
34-
unlink("$uploads_dir/$org_name");
35-
print ('Uploaded');
53+
if(move_uploaded_file($tmp_name, "$uploads_dir/$org_name")) {
54+
create_thumbs($uploads_dir,$org_name,$img_name, $max_width,$max_height,90);
55+
create_thumbs($uploads_dir,$img_name,$tmb_name, $max_width_tmb,$max_height_tmb,80);
56+
unlink("$uploads_dir/$org_name");
57+
print ('Uploaded');
58+
}
3659
}
3760
}
3861
function create_thumbs($updir, $img, $name, $thumbnail_width, $thumbnail_height, $quality){
3962
$arr_image_details = GetImageSize("$updir/$img");
4063
$original_width = $arr_image_details[0];
4164
$original_height = $arr_image_details[1];
4265
$a = $thumbnail_width / $thumbnail_height;
43-
$b = $original_width / $original_height;
66+
$b = $original_width / $original_height;
4467

4568

4669
if ($a<$b) {

Diff for: acp/templates/gallery_upload_form.tpl

+2-2
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,8 @@
22
<div class="modal-dialog modal-lg modal-dialog-centered" role="document">
33
<div class="modal-content">
44
<div class="modal-header">
5-
<h5 class="modal-title">Upload into {post_id}</h5>
5+
<h5 class="modal-title">Upload into Gallery ID #{post_id}</h5>
66
<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close">
7-
<span aria-hidden="true">&times;</span>
87
</button>
98
</div>
109
<div class="modal-body">
@@ -26,6 +25,7 @@
2625

2726
<form action="acp.php?tn=posts&sub=edit" method="POST" id="reload_form">
2827
<input type="hidden" name="post_id" value="{post_id}">
28+
<input type="hidden" name="csrf_token" value="{token}">
2929
</form>
3030

3131
<script>

0 commit comments

Comments
 (0)