diff options
author | Kate Arzamastseva <pshns@ukr.net> | 2011-09-06 19:22:07 +0300 |
---|---|---|
committer | Kate Arzamastseva <pshns@ukr.net> | 2011-09-06 19:22:07 +0300 |
commit | cc2c0b9d6af82732ed79eeb85c22b7c3192a4e55 (patch) | |
tree | b89b580659168d8550dcca66fb0c303389b77aaf /lib/exe | |
parent | 62231793d3f25f1cc59d328ee5d4e28c483f7962 (diff) | |
download | rpg-cc2c0b9d6af82732ed79eeb85c22b7c3192a4e55.tar.gz rpg-cc2c0b9d6af82732ed79eeb85c22b7c3192a4e55.tar.bz2 |
issue #61 security fix
Diffstat (limited to 'lib/exe')
-rw-r--r-- | lib/exe/ajax.php | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index 4f627e995..d4ef8dc11 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -251,24 +251,27 @@ function ajax_mediadiff(){ function ajax_mediaupload(){ global $NS, $MSG; - $NS = $_REQUEST['ns']; - $AUTH = auth_quickaclcheck("$NS:*"); - if($AUTH >= AUTH_UPLOAD) { io_createNamespace("$NS:xxx", 'media'); } - - if ($_FILES['qqfile']['error']) unset($_FILES['qqfile']); - if ($_FILES['qqfile']['tmp_name']) { - $res = media_upload($NS, $AUTH, $_FILES['qqfile']); $id = ((empty($_POST['mediaid'])) ? $_FILES['qqfile']['name'] : $_POST['mediaid']); - } - if (isset($_GET['qqfile'])) { - $res = media_upload_xhr($NS, $AUTH); + } elseif (isset($_GET['qqfile'])) { $id = $_GET['qqfile']; } + $id = cleanID($id, false, true); + $NS = $_REQUEST['ns']; + $ns = $NS.':'.getNS($id); + + $AUTH = auth_quickaclcheck("$ns:*"); + if($AUTH >= AUTH_UPLOAD) { io_createNamespace("$ns:xxx", 'media'); } + + if ($_FILES['qqfile']['error']) unset($_FILES['qqfile']); + + if ($_FILES['qqfile']['tmp_name']) $res = media_upload($NS, $AUTH, $_FILES['qqfile']); + if (isset($_GET['qqfile'])) $res = media_upload_xhr($NS, $AUTH); + if ($res) $result = array('success' => true, - 'link' => media_managerURL(array('ns' => $NS.':'.getNS($id), 'image' => $NS.':'.$id), '&'), + 'link' => media_managerURL(array('ns' => $ns, 'image' => $NS.':'.$id), '&'), 'id' => $NS.':'.$id, 'ns' => $NS); if (!$result) { |