Skip to content

Commit

Permalink
Fix for image upload path traversal issue.
Browse files Browse the repository at this point in the history
  • Loading branch information
mark-unwin committed Nov 26, 2021
1 parent 04c121b commit d27b649
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 10 deletions.
11 changes: 2 additions & 9 deletions code_igniter/application/controllers/devices.php
Original file line number Diff line number Diff line change
Expand Up @@ -685,17 +685,10 @@ private function sub_resource_download()
}
$attachment = $this->m_devices->read_sub_resource($this->response->meta->id, $this->response->meta->sub_resource, $this->response->meta->sub_resource_id, '*', '', '', '');
$this->load->helper('file');
if (php_uname('s') === 'Windows NT') {
$temp = explode('\\', $attachment[0]->attributes->filename);
} else {
$temp = explode('/', $attachment[0]->attributes->filename);
}
$filename = $temp[count($temp)-1];
$filename = preg_replace('/'.$this->response->meta->id.'_/', '', $filename, 1);
header('Content-Type: '.get_mime_by_extension($attachment[0]->attributes->filename));
header('Content-Disposition: attachment;filename="'.$filename.'"');
header('Content-Disposition: attachment;filename="'.basename($attachment[0]->attributes->filename).'"');
header('Cache-Control: max-age=0');
readfile($attachment[0]->attributes->filename);
readfile($_SERVER['DOCUMENT_ROOT'] . '/open-audit/custom_images/' . basename($attachment[0]->attributes->filename));
}

/**
Expand Down
2 changes: 1 addition & 1 deletion code_igniter/application/models/m_devices.php
Original file line number Diff line number Diff line change
Expand Up @@ -731,7 +731,7 @@ public function sub_resource_create($id = 0, $sub_resource = '', $data = '')
$sql = 'INSERT INTO `image` VALUES (NULL, ?, ?, ?, ?, ?, NOW())';
$data = array(intval($CI->response->meta->id),
$CI->response->meta->received_data->attributes->name,
$CI->response->meta->received_data->attributes->filename,
basename($CI->response->meta->received_data->attributes->filename),
$CI->response->meta->received_data->attributes->orientation,
$CI->user->full_name);
$this->db->query($sql, $data);
Expand Down

0 comments on commit d27b649

Please # to comment.