mirror/php-cimage
1
0
Fork 0
mirror of https://github.com/mosbth/cimage.git synced 2025-08-04 15:17:42 +02:00
Code Issues Releases Wiki Activity

prepare to merge master

Browse Source
This commit is contained in:
Mikael Roos
2016-04-01 10:27:33 +02:00
parent a62d7cb6c2
commit 71816261f2
3 changed files with 84 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
webroot/imgd.php
View File

@@ -4218,18 +4218,28 @@ if (isset($shortcut)
$srcImage = urldecode(get('src')) $srcImage = urldecode(get('src'))
or errorPage('Must set src-attribute.', 404); or errorPage('Must set src-attribute.', 404);
// Get settings for src-alt as backup image
$srcAltImage = urldecode(get('src-alt', null));
$srcAltConfig = getConfig('src_alt', null);
if (empty($srcAltImage)) {
$srcAltImage = $srcAltConfig;
}
// Check for valid/invalid characters // Check for valid/invalid characters
$imagePath = getConfig('image_path', __DIR__ . '/img/'); $imagePath = getConfig('image_path', __DIR__ . '/img/');
$imagePathConstraint = getConfig('image_path_constraint', true); $imagePathConstraint = getConfig('image_path_constraint', true);
$validFilename = getConfig('valid_filename', '#^[a-z0-9A-Z-/_ \.:]+$#'); $validFilename = getConfig('valid_filename', '#^[a-z0-9A-Z-/_ \.:]+$#');
// Source is remote
$remoteSource = false;
// Dummy image feature // Dummy image feature
$dummyEnabled = getConfig('dummy_enabled', true); $dummyEnabled = getConfig('dummy_enabled', true);
$dummyFilename = getConfig('dummy_filename', 'dummy'); $dummyFilename = getConfig('dummy_filename', 'dummy');
$dummyImage = false; $dummyImage = false;
preg_match($validFilename, $srcImage) preg_match($validFilename, $srcImage)
or errorPage('Filename contains invalid characters.', 404); or errorPage('Source filename contains invalid characters.', 404);
if ($dummyEnabled && $srcImage === $dummyFilename) { if ($dummyEnabled && $srcImage === $dummyFilename) {
@@ -4239,19 +4249,40 @@ if ($dummyEnabled && $srcImage === $dummyFilename) {
} elseif ($allowRemote && $img->isRemoteSource($srcImage)) { } elseif ($allowRemote && $img->isRemoteSource($srcImage)) {
// If source is a remote file, ignore local file checks. // If source is a remote file, ignore local file checks.
$remoteSource = true;
} elseif ($imagePathConstraint) { } else {
// Check that the image is a file below the directory 'image_path'. // Check if file exists on disk or try using src-alt
$pathToImage = realpath($imagePath . $srcImage); $pathToImage = realpath($imagePath . $srcImage);
$imageDir = realpath($imagePath);
is_file($pathToImage) if (!is_file($pathToImage) && !empty($srcAltImage)) {
or errorPage( // Try using the src-alt instead
'Source image is not a valid file, check the filename and that a $srcImage = $srcAltImage;
matching file exists on the filesystem.', $pathToImage = realpath($imagePath . $srcImage);
404
); preg_match($validFilename, $srcImage)
or errorPage('Source (alt) filename contains invalid characters.', 404);
if ($dummyEnabled && $srcImage === $dummyFilename) {
// Check if src-alt is the dummy image
$dummyImage = true;
}
}
if (!$dummyImage) {
is_file($pathToImage)
or errorPage(
'Source image is not a valid file, check the filename and that a
matching file exists on the filesystem.',
404
);
}
}
if ($imagePathConstraint && !$dummyImage && !$remoteSource) {
// Check that the image is a file below the directory 'image_path'.
$imageDir = realpath($imagePath);
substr_compare($imageDir, $pathToImage, 0, strlen($imageDir)) == 0 substr_compare($imageDir, $pathToImage, 0, strlen($imageDir)) == 0
or errorPage( or errorPage(

51
webroot/imgp.php
View File

@@ -4218,18 +4218,28 @@ if (isset($shortcut)
$srcImage = urldecode(get('src')) $srcImage = urldecode(get('src'))
or errorPage('Must set src-attribute.', 404); or errorPage('Must set src-attribute.', 404);
// Get settings for src-alt as backup image
$srcAltImage = urldecode(get('src-alt', null));
$srcAltConfig = getConfig('src_alt', null);
if (empty($srcAltImage)) {
$srcAltImage = $srcAltConfig;
}
// Check for valid/invalid characters // Check for valid/invalid characters
$imagePath = getConfig('image_path', __DIR__ . '/img/'); $imagePath = getConfig('image_path', __DIR__ . '/img/');
$imagePathConstraint = getConfig('image_path_constraint', true); $imagePathConstraint = getConfig('image_path_constraint', true);
$validFilename = getConfig('valid_filename', '#^[a-z0-9A-Z-/_ \.:]+$#'); $validFilename = getConfig('valid_filename', '#^[a-z0-9A-Z-/_ \.:]+$#');
// Source is remote
$remoteSource = false;
// Dummy image feature // Dummy image feature
$dummyEnabled = getConfig('dummy_enabled', true); $dummyEnabled = getConfig('dummy_enabled', true);
$dummyFilename = getConfig('dummy_filename', 'dummy'); $dummyFilename = getConfig('dummy_filename', 'dummy');
$dummyImage = false; $dummyImage = false;
preg_match($validFilename, $srcImage) preg_match($validFilename, $srcImage)
or errorPage('Filename contains invalid characters.', 404); or errorPage('Source filename contains invalid characters.', 404);
if ($dummyEnabled && $srcImage === $dummyFilename) { if ($dummyEnabled && $srcImage === $dummyFilename) {
@@ -4239,19 +4249,40 @@ if ($dummyEnabled && $srcImage === $dummyFilename) {
} elseif ($allowRemote && $img->isRemoteSource($srcImage)) { } elseif ($allowRemote && $img->isRemoteSource($srcImage)) {
// If source is a remote file, ignore local file checks. // If source is a remote file, ignore local file checks.
$remoteSource = true;
} elseif ($imagePathConstraint) { } else {
// Check that the image is a file below the directory 'image_path'. // Check if file exists on disk or try using src-alt
$pathToImage = realpath($imagePath . $srcImage); $pathToImage = realpath($imagePath . $srcImage);
$imageDir = realpath($imagePath);
is_file($pathToImage) if (!is_file($pathToImage) && !empty($srcAltImage)) {
or errorPage( // Try using the src-alt instead
'Source image is not a valid file, check the filename and that a $srcImage = $srcAltImage;
matching file exists on the filesystem.', $pathToImage = realpath($imagePath . $srcImage);
404
); preg_match($validFilename, $srcImage)
or errorPage('Source (alt) filename contains invalid characters.', 404);
if ($dummyEnabled && $srcImage === $dummyFilename) {
// Check if src-alt is the dummy image
$dummyImage = true;
}
}
if (!$dummyImage) {
is_file($pathToImage)
or errorPage(
'Source image is not a valid file, check the filename and that a
matching file exists on the filesystem.',
404
);
}
}
if ($imagePathConstraint && !$dummyImage && !$remoteSource) {
// Check that the image is a file below the directory 'image_path'.
$imageDir = realpath($imagePath);
substr_compare($imageDir, $pathToImage, 0, strlen($imageDir)) == 0 substr_compare($imageDir, $pathToImage, 0, strlen($imageDir)) == 0
or errorPage( or errorPage(

4
webroot/imgs.php
View File

File diff suppressed because one or more lines are too long