alias now requires password to work. alias filename is without extension #47.

2025-08-21 15:21:23 +02:00 · 2015-01-17 19:15:18 +01:00
parent f87dc2967f
commit 4fae208c4c
4 changed files with 31 additions and 23 deletions
--- a/webroot/img.php
+++ b/webroot/img.php
@@ -630,25 +630,26 @@ $postProcessing = getConfig('postprocessing', array(

 /**
 * alias - Save resulting image to another alias name.
- * Password apply if defined.
+ * Password always apply, must be defined.
 */
-$alias     = get('alias', null);
-$aliasPath = getConfig('alias_path', null);
-$aliasTarget = null;
+$alias          = get('alias', null);
+$aliasPath      = getConfig('alias_path', null);
+$validAliasname = getConfig('valid_aliasname', '#^[a-z0-9A-Z-_]+$#');
+$aliasTarget    = null;

-if ($alias && $aliasPath) {
+if ($alias && $aliasPath && $passwordMatch) {

    $aliasTarget = $aliasPath . $alias;
    $useCache    = false;

-    ($passwordMatch !== false)
-        or errorPage("Alias used and password check failed.");
    is_writable($aliasPath)
        or errorPage("Directory for alias is not writable.");
-    preg_match($validFilename, $alias)
-        or errorPage('Filename for alias contains invalid characters.');
+
+    preg_match($validAliasname, $alias)
+        or errorPage('Filename for alias contains invalid characters. Do not add extension.');
+
 } else if ($alias) {
-    errorPage('Alias is not enabled in the config file.');
+    errorPage('Alias is not enabled in the config file or password not matching.');
 }

 verbose("alias = $alias");
--- a/webroot/img_config.php
+++ b/webroot/img_config.php
@@ -57,6 +57,18 @@ return array(


    /**
+     * A regexp for validating characters in the image or alias filename.
+     *
+     * Default value:
+     *  valid_filename:  '#^[a-z0-9A-Z-/_\.:]+$#'
+     *  valid_aliasname: '#^[a-z0-9A-Z-_]+$#'
+     */
+     //'valid_filename'  => '#^[a-z0-9A-Z-/_\.:]+$#',
+     //'valid_aliasname' => '#^[a-z0-9A-Z-_]+$#',
+
+
+
+     /**
     * Check that the imagefile is a file below 'image_path' using realpath().
     * Security constraint to avoid reaching images outside image_path.
     * This means that symbolic links to images outside the image_path will fail.
@@ -64,21 +76,11 @@ return array(
     * Default value:
     *  image_path_constraint: true
     */
-    //'image_path_constraint' => false,
+     //'image_path_constraint' => false,



-    /**
-     * A regexp for validating characters in the image filename.
-     *
-     * Default value:
-     *  valid_filename: '#^[a-z0-9A-Z-/_\.:]+$#'
-     */
-    //'valid_filename' => '#^[a-z0-9A-Z-/_\.:]+$#',
-
-
-
-    /**
+     /**
     * Set default timezone.
     *
     * Default values.