From b193ad73e30aa77c4ff7b0ccc5bd3d522224de1b Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Thu, 16 Apr 2020 18:17:04 +0900
Subject: [PATCH] Fix #1274 check chunked uploads after all chunks are ready

---
 classes/security/UploadFileFilter.class.php | 6 ++++++
 modules/file/file.controller.php            | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/classes/security/UploadFileFilter.class.php b/classes/security/UploadFileFilter.class.php
index 18bfdadb7..a74b72ced 100644
--- a/classes/security/UploadFileFilter.class.php
+++ b/classes/security/UploadFileFilter.class.php
@@ -17,6 +17,12 @@ class UploadFileFilter
 			return false;
 		}
 		
+		// Don't check partial uploads (chunks).
+		if (Context::get('act') === 'procFileUpload' && preg_match('!^bytes (\d+)-(\d+)/(\d+)$!', $_SERVER['HTTP_CONTENT_RANGE']))
+		{
+			return true;
+		}
+
 		// Call Rhymix framework filter.
 		return Rhymix\Framework\Filters\FileContentFilter::check($file, $filename);
 	}
diff --git a/modules/file/file.controller.php b/modules/file/file.controller.php
index f8ef2f6ec..40fbc655a 100644
--- a/modules/file/file.controller.php
+++ b/modules/file/file.controller.php
@@ -113,6 +113,10 @@ class fileController extends file
 				$this->add('chunk_uploaded_size', $chunk_start + $chunk_size);
 				if ($chunk_start + $chunk_size == $total_size)
 				{
+					if (!Rhymix\Framework\Filters\FileContentFilter::check($temp_filename, $file_info['name']))
+					{
+						throw new Rhymix\Framework\Exception('msg_security_violation');
+					}
 					$file_info['tmp_name'] = $temp_filename;
 					$file_info['size'] = Rhymix\Framework\Storage::getSize($temp_filename);
 				}