eliseuamaro/gnu-social
1
0
Fork 0
forked from GNUsocial/gnu-social
Code Issues Pull Requests Releases Wiki Activity

[Embed][CORE] Validate the hexadecimal for hex2bin properly

Browse Source
This commit is contained in:
Alexei Sorokin 2020-01-07 17:30:18 +03:00
parent f5aeab39b4
commit 110d3a453a
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/media/mediafile.php
View File

@ -279,10 +279,8 @@ class MediaFile
$ret = preg_match('/^(.*-)?([^-]+)-[^-]+$/', $encoded_filename, $matches);
if ($ret === false) {
return false;
} elseif ($ret === 0) {
} elseif ($ret === 0 || !ctype_xdigit($matches[2])) {
return null; // No match
} elseif (strlen($matches[2]) % 2 !== 0) {
return null; // An odd length won't do for hex2bin
} else {
$filename = hex2bin($matches[2]);