From dc2b9f940ee6d718c964e52a02cfb59c678e6acd Mon Sep 17 00:00:00 2001
From: Hugo Sales <hugo@hsal.es>
Date: Tue, 3 Aug 2021 10:22:55 +0000
Subject: [PATCH] [CORE][GSFile] Assert that the destination folder where to
 store the attachment is inside the INSTALLDIR and store the filepath in the
 database

---
 src/Core/GSFile.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/Core/GSFile.php b/src/Core/GSFile.php
index 901cddc8e0..6190e0b974 100644
--- a/src/Core/GSFile.php
+++ b/src/Core/GSFile.php
@@ -30,6 +30,7 @@ use App\Util\Exception\DuplicateFoundException;
 use App\Util\Exception\NoSuchFileException;
 use App\Util\Exception\NotFoundException;
 use App\Util\Exception\ServerException;
+use App\Util\Formatting;
 use InvalidArgumentException;
 use SplFileInfo;
 use Symfony\Component\HttpFoundation\BinaryFileResponse;
@@ -69,6 +70,10 @@ class GSFile
                                                             ?string $title = null,
                                                             bool $is_local = true): Attachment
     {
+        if (!Formatting::startsWith($dest_dir, INSTALLDIR)) {
+            throw new \InvalidArgumentException("Attempted to store an attachment to a folder outside the GNU social installation: {$dest_dir}");
+        }
+
         $hash = null;
         Event::handle('HashFile', [$file->getPathname(), &$hash]);
         try {
@@ -88,7 +93,7 @@ class GSFile
                 'gsactor_id' => $actor_id,
                 'mimetype'   => $mimetype,
                 'title'      => $title,
-                'filename'   => $hash,
+                'filename'   => Formatting::removePrefix($dest_dir, INSTALLDIR . DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . $hash,
                 'is_local'   => $is_local,
                 'size'       => $file->getSize(),
                 'width'      => $width,