wamo/gnu-social
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Embed][CORE] Validate the hexadecimal for hex2bin properly

Browse Source
This commit is contained in:
Alexei Sorokin 2020-01-07 17:30:18 +03:00 committed by Diogo Peralta Cordeiro
parent ceeb6d4d8f
commit d467370efb
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/media/mediafile.php
View File

@ -279,10 +279,8 @@ class MediaFile
$ret = preg_match('/^(.*-)?([^-]+)-[^-]+$/', $encoded_filename, $matches); $ret = preg_match('/^(.*-)?([^-]+)-[^-]+$/', $encoded_filename, $matches);
if ($ret === false) { if ($ret === false) {
return false; return false;
} elseif ($ret === 0) { } elseif ($ret === 0 || !ctype_xdigit($matches[2])) {
return null; // No match return null; // No match
} elseif (strlen($matches[2]) % 2 !== 0) {
return null; // An odd length won't do for hex2bin
} else { } else {
$filename = hex2bin($matches[2]); $filename = hex2bin($matches[2]);