[Embed][CORE] Validate the hexadecimal for hex2bin properly

This commit is contained in:
Alexei Sorokin 2020-01-07 17:30:18 +03:00 committed by Diogo Peralta Cordeiro
parent ceeb6d4d8f
commit d467370efb

View File

@ -279,10 +279,8 @@ class MediaFile
$ret = preg_match('/^(.*-)?([^-]+)-[^-]+$/', $encoded_filename, $matches); $ret = preg_match('/^(.*-)?([^-]+)-[^-]+$/', $encoded_filename, $matches);
if ($ret === false) { if ($ret === false) {
return false; return false;
} elseif ($ret === 0) { } elseif ($ret === 0 || !ctype_xdigit($matches[2])) {
return null; // No match return null; // No match
} elseif (strlen($matches[2]) % 2 !== 0) {
return null; // An odd length won't do for hex2bin
} else { } else {
$filename = hex2bin($matches[2]); $filename = hex2bin($matches[2]);