tonyair/silverstripe-dms
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-dms synced 2024-10-22 14:05:56 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #202 from creative-commoners/pulls/2.0/escape-file-execution

Browse Source 
FIX Escape file path before loading file from filesystem
This commit is contained in:
Damian Mooyman 2017-12-07 14:59:36 +13:00 committed by GitHub
commit bcf2ac9757
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
code/model/DMSDocument_Controller.php
View File

@ -82,6 +82,7 @@ class DMSDocument_Controller extends Controller
$finfo = finfo_open(FILEINFO_MIME_TYPE); $finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $path); $mime = finfo_file($finfo, $path);
} elseif (is_executable($fileBin)) { } elseif (is_executable($fileBin)) {
$path = escapeshellarg($path);
// try to use the system tool // try to use the system tool
$mime = `$fileBin -i -b $path`; $mime = `$fileBin -i -b $path`;
$mime = explode(';', $mime); $mime = explode(';', $mime);