Skip to content

Commit

Permalink
Merge pull request #69 from phpbb/ticket/security-279
Browse files Browse the repository at this point in the history
[ticket/security/279] Escape smilies URL and prevent paths in .pak filename
  • Loading branch information
marc1706 committed Oct 15, 2023
2 parents 8fe3a97 + 266376a commit ccf6e6c
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions phpBB/includes/acp/acp_icons.php
Original file line number Diff line number Diff line change
Expand Up @@ -550,7 +550,7 @@ function main($id, $mode)
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}

if (!($pak_ary = @file($phpbb_root_path . $img_path . '/' . $pak)))
if (!($pak_ary = @file($phpbb_root_path . $img_path . '/' . utf8_basename($pak))))
{
trigger_error($user->lang['PAK_FILE_NOT_READABLE'] . adm_back_link($this->u_action), E_USER_WARNING);
}
Expand Down Expand Up @@ -654,7 +654,7 @@ function main($id, $mode)
{
$replace_sql = ($mode == 'smilies') ? $code : $img;
$sql = array(
$fields . '_url' => $img,
$fields . '_url' => utf8_substr(rawurlencode($img), 0, 50),
$fields . '_height' => (int) $height,
$fields . '_width' => (int) $width,
'display_on_posting' => (int) $display_on_posting,
Expand All @@ -676,7 +676,7 @@ function main($id, $mode)
++$order;

$sql = array(
$fields . '_url' => $img,
$fields . '_url' => utf8_substr(rawurlencode($img), 0, 50),
$fields . '_height' => (int) $height,
$fields . '_width' => (int) $width,
$fields . '_order' => (int) $order,
Expand Down

0 comments on commit ccf6e6c

Please sign in to comment.