mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-05-18 00:12:16 +09:00
Fix insufficient protection of thumbnail temp file RVE-2026-7
This commit is contained in:
Kijin Sung
parent
d609d36ac6
commit
453a9bb26a
2 changed files with 22 additions and 10 deletions
|
|
@ -924,28 +924,34 @@ class CommentItem extends BaseObject
|
|||
$target_src = Context::getRequestUri().$target_src;
|
||||
}
|
||||
|
||||
$tmp_file = sprintf('./files/cache/tmp/%d', md5(rand(111111, 999999) . $this->comment_srl));
|
||||
if(!is_dir('./files/cache/tmp'))
|
||||
$tmp_file = sprintf('./files/cache/tmp/%s', Rhymix\Framework\Security::getRandom(32));
|
||||
if (!Rhymix\Framework\Storage::exists(\RX_BASEDIR . 'files/cache/tmp'))
|
||||
{
|
||||
FileHandler::makeDir('./files/cache/tmp');
|
||||
Rhymix\Framework\Storage::createDirectory(\RX_BASEDIR . 'files/cache/tmp');
|
||||
}
|
||||
if (!Rhymix\Framework\Storage::exists(\RX_BASEDIR . 'files/cache/tmp/.htaccess'))
|
||||
{
|
||||
Rhymix\Framework\Storage::protectDirectory(\RX_BASEDIR . 'files/cache/tmp');
|
||||
}
|
||||
FileHandler::getRemoteFile($target_src, $tmp_file);
|
||||
if(!file_exists($tmp_file))
|
||||
if (!Rhymix\Framework\Storage::exists($tmp_file))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
else
|
||||
{
|
||||
if($is_img = @getimagesize($tmp_file))
|
||||
if ($is_img = @getimagesize($tmp_file))
|
||||
{
|
||||
list($_w, $_h, $_t, $_a) = $is_img;
|
||||
if($_w < ($external_image_min_width) && ($height === 'auto' || $_h < ($external_image_min_height)))
|
||||
{
|
||||
Rhymix\Framework\Storage::delete($tmp_file);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
Rhymix\Framework\Storage::delete($tmp_file);
|
||||
continue;
|
||||
}
|
||||
$source_file = $tmp_file;
|
||||
|
|
|
|||
|
|
@ -1257,28 +1257,34 @@ class DocumentItem extends BaseObject
|
|||
$target_src = Context::getRequestUri().$target_src;
|
||||
}
|
||||
|
||||
$tmp_file = sprintf('./files/cache/tmp/%d', md5(rand(111111,999999).$this->document_srl));
|
||||
if(!is_dir('./files/cache/tmp'))
|
||||
$tmp_file = sprintf('./files/cache/tmp/%s', Rhymix\Framework\Security::getRandom(32));
|
||||
if (!Rhymix\Framework\Storage::exists(\RX_BASEDIR . 'files/cache/tmp'))
|
||||
{
|
||||
FileHandler::makeDir('./files/cache/tmp');
|
||||
Rhymix\Framework\Storage::createDirectory(\RX_BASEDIR . 'files/cache/tmp');
|
||||
}
|
||||
if (!Rhymix\Framework\Storage::exists(\RX_BASEDIR . 'files/cache/tmp/.htaccess'))
|
||||
{
|
||||
Rhymix\Framework\Storage::protectDirectory(\RX_BASEDIR . 'files/cache/tmp');
|
||||
}
|
||||
FileHandler::getRemoteFile($target_src, $tmp_file);
|
||||
if(!file_exists($tmp_file))
|
||||
if (!Rhymix\Framework\Storage::exists($tmp_file))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
else
|
||||
{
|
||||
if($is_img = @getimagesize($tmp_file))
|
||||
if ($is_img = @getimagesize($tmp_file))
|
||||
{
|
||||
list($_w, $_h, $_t, $_a) = $is_img;
|
||||
if($_w < ($external_image_min_width) && ($height === 'auto' || $_h < ($external_image_min_height)))
|
||||
{
|
||||
Rhymix\Framework\Storage::delete($tmp_file);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
Rhymix\Framework\Storage::delete($tmp_file);
|
||||
continue;
|
||||
}
|
||||
$source_file = $tmp_file;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue