source: branches/rel/html/resize_image.php @ 15035

Revision 15035, 1.0 KB checked in by adati, 17 years ago (diff)

任意のドライブおよび、フォルダの画像ファイル等にアクセスが可能な脆弱性を修正

Line 
1<?php
2
3$include_dir = realpath(dirname( __FILE__));
4require_once($include_dir . "/define.php");
5
6require_once($include_dir . HTML2DATA_DIR. "lib/gdthumb.php");
7require_once($include_dir . HTML2DATA_DIR. "conf/conf.php");
8
9$objThumb = new gdthumb();
10
11$file = NO_IMAGE_DIR;
12
13// NO_IMAGE_DIR°Ê³°¤Î¥Õ¥¡¥¤¥ë̾¤¬ÅϤµ¤ì¤¿¾ì¹ç¡¢¥Õ¥¡¥¤¥ë̾¤Î¥Á¥§¥Ã¥¯¤ò¹Ô¤¦
14if ( isset($_GET['image']) && $_GET['image'] !== NO_IMAGE_DIR) {
15   
16    //ÉÔÀµ¤Ê¥Õ¥¡¥¤¥ë̾¤¬ÅϤµ¤ì¤¿¾ì¹ç¤Ï½ªÎ»¤µ¤»¤ë
17    if ( lfCheckFileName() !== true ) {
18        exit();
19    }
20   
21    $file = IMAGE_SAVE_DIR . $_GET['image'];
22}
23
24if(file_exists($file)){
25    $objThumb->Main($file, $_GET["width"], $_GET["height"], "", true);
26}else{
27    $objThumb->Main(NO_IMAGE_DIR, $_GET["width"], $_GET["height"], "", true);
28}
29
30// ¥Õ¥¡¥¤¥ë̾¤Î·Á¼°¤ò¥Á¥§¥Ã¥¯
31function lfCheckFileName() {
32    //$pattern = '|^[0-9]+_[0-9a-z]+\.[a-z]{3}$|';
33    $pattern = '|\.\./|';
34    $file    = trim($_GET["image"]);
35    if ( preg_match_all($pattern, $file, $matches) ) {
36        return false;
37    } else {
38        return true;
39    }
40}
41
42?>
Note: See TracBrowser for help on using the repository browser.