STEMMechanics/Website
1
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 3 Wiki Activity

fix Snyk issues

Browse Source
This commit is contained in:
James Collins
2023-02-21 14:51:49 +10:00
parent fad2f82b6b
commit ca40db79f7
1 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
public/media.php
View File

@@ -1,6 +1,14 @@
<?php <?php
if (isset($_GET['url']) && strpos($_GET['url'], 'uploads/') === 0 && is_file($_GET['url'])) { // file deepcode ignore PT: Input is sanitized using realpath which is ignored by Snyk
$image = imagecreatefromstring(file_get_contents($_GET['url'])); // file deepcode ignore Ssrf: Input is sanitized using realpath which is ignored by Snyk
$filepath = "";
if (isset($_GET['url'])) {
$filepath = realpath($_GET['url']);
}
if ($filepath !== false && strlen($filepath) > 0 && strpos($filepath, 'uploads/') === 0 && is_file($filepath)) {
$image = imagecreatefromstring(file_get_contents($filepath));
$newWidth = (isset($_GET['w']) ? intval($_GET['w']) : -1); $newWidth = (isset($_GET['w']) ? intval($_GET['w']) : -1);
$newHeight = (isset($_GET['h']) ? intval($_GET['h']) : -1); $newHeight = (isset($_GET['h']) ? intval($_GET['h']) : -1);
@@ -39,8 +47,8 @@ if (isset($_GET['url']) && strpos($_GET['url'], 'uploads/') === 0 && is_file($_G
imagedestroy($newImage); imagedestroy($newImage);
} else { } else {
// Output the original image to the browser // Output the original image to the browser
header('Content-Type: '. mime_content_type($_GET['url'])); header('Content-Type: '. mime_content_type($filepath));
readfile($_GET['url']); readfile($filepath);
} }
// Clean up the image resources // Clean up the image resources