From d27b649283aa6a01a15e5a3df1520d7aa69a5e18 Mon Sep 17 00:00:00 2001 From: Mark Unwin Date: Fri, 26 Nov 2021 22:50:04 +1000 Subject: [PATCH] Fix for image upload path traversal issue. --- code_igniter/application/controllers/devices.php | 11 ++--------- code_igniter/application/models/m_devices.php | 2 +- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/code_igniter/application/controllers/devices.php b/code_igniter/application/controllers/devices.php index fbe05f999..7e261a741 100644 --- a/code_igniter/application/controllers/devices.php +++ b/code_igniter/application/controllers/devices.php @@ -685,17 +685,10 @@ private function sub_resource_download() } $attachment = $this->m_devices->read_sub_resource($this->response->meta->id, $this->response->meta->sub_resource, $this->response->meta->sub_resource_id, '*', '', '', ''); $this->load->helper('file'); - if (php_uname('s') === 'Windows NT') { - $temp = explode('\\', $attachment[0]->attributes->filename); - } else { - $temp = explode('/', $attachment[0]->attributes->filename); - } - $filename = $temp[count($temp)-1]; - $filename = preg_replace('/'.$this->response->meta->id.'_/', '', $filename, 1); header('Content-Type: '.get_mime_by_extension($attachment[0]->attributes->filename)); - header('Content-Disposition: attachment;filename="'.$filename.'"'); + header('Content-Disposition: attachment;filename="'.basename($attachment[0]->attributes->filename).'"'); header('Cache-Control: max-age=0'); - readfile($attachment[0]->attributes->filename); + readfile($_SERVER['DOCUMENT_ROOT'] . '/open-audit/custom_images/' . basename($attachment[0]->attributes->filename)); } /** diff --git a/code_igniter/application/models/m_devices.php b/code_igniter/application/models/m_devices.php index c735efa15..7983c4c42 100644 --- a/code_igniter/application/models/m_devices.php +++ b/code_igniter/application/models/m_devices.php @@ -731,7 +731,7 @@ public function sub_resource_create($id = 0, $sub_resource = '', $data = '') $sql = 'INSERT INTO `image` VALUES (NULL, ?, ?, ?, ?, ?, NOW())'; $data = array(intval($CI->response->meta->id), $CI->response->meta->received_data->attributes->name, - $CI->response->meta->received_data->attributes->filename, + basename($CI->response->meta->received_data->attributes->filename), $CI->response->meta->received_data->attributes->orientation, $CI->user->full_name); $this->db->query($sql, $data);