From cc2c0b9d6af82732ed79eeb85c22b7c3192a4e55 Mon Sep 17 00:00:00 2001 From: Kate Arzamastseva Date: Tue, 6 Sep 2011 19:22:07 +0300 Subject: issue #61 security fix --- lib/exe/ajax.php | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'lib/exe') diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index 4f627e995..d4ef8dc11 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -251,24 +251,27 @@ function ajax_mediadiff(){ function ajax_mediaupload(){ global $NS, $MSG; - $NS = $_REQUEST['ns']; - $AUTH = auth_quickaclcheck("$NS:*"); - if($AUTH >= AUTH_UPLOAD) { io_createNamespace("$NS:xxx", 'media'); } - - if ($_FILES['qqfile']['error']) unset($_FILES['qqfile']); - if ($_FILES['qqfile']['tmp_name']) { - $res = media_upload($NS, $AUTH, $_FILES['qqfile']); $id = ((empty($_POST['mediaid'])) ? $_FILES['qqfile']['name'] : $_POST['mediaid']); - } - if (isset($_GET['qqfile'])) { - $res = media_upload_xhr($NS, $AUTH); + } elseif (isset($_GET['qqfile'])) { $id = $_GET['qqfile']; } + $id = cleanID($id, false, true); + $NS = $_REQUEST['ns']; + $ns = $NS.':'.getNS($id); + + $AUTH = auth_quickaclcheck("$ns:*"); + if($AUTH >= AUTH_UPLOAD) { io_createNamespace("$ns:xxx", 'media'); } + + if ($_FILES['qqfile']['error']) unset($_FILES['qqfile']); + + if ($_FILES['qqfile']['tmp_name']) $res = media_upload($NS, $AUTH, $_FILES['qqfile']); + if (isset($_GET['qqfile'])) $res = media_upload_xhr($NS, $AUTH); + if ($res) $result = array('success' => true, - 'link' => media_managerURL(array('ns' => $NS.':'.getNS($id), 'image' => $NS.':'.$id), '&'), + 'link' => media_managerURL(array('ns' => $ns, 'image' => $NS.':'.$id), '&'), 'id' => $NS.':'.$id, 'ns' => $NS); if (!$result) { -- cgit v1.2.3