tonyair/silverstripe-dms
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-dms synced 2024-10-22 14:05:56 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #202 from creative-commoners/pulls/2.0/escape-file-execution

Browse Source 
FIX Escape file path before loading file from filesystem
This commit is contained in:
Damian Mooyman 2017-12-07 14:59:36 +13:00 committed by GitHub
commit bcf2ac9757
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
code/model/DMSDocument_Controller.php
View File

@ -82,6 +82,7 @@ class DMSDocument_Controller extends Controller
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $path);
} elseif (is_executable($fileBin)) {
$path = escapeshellarg($path);
// try to use the system tool
$mime = `$fileBin -i -b $path`;
$mime = explode(';', $mime);
@ -89,7 +90,7 @@ class DMSDocument_Controller extends Controller
} else {
// make do with what we have
$ext = $doc->getExtension();
if ($ext =='pdf') {
if ($ext == 'pdf') {
$mime = 'application/pdf';
} elseif ($ext == 'html' || $ext =='htm') {
$mime = 'text/html';