From 8e3d78a2f63dfca02755ce6226e01ae11745a866 Mon Sep 17 00:00:00 2001
From: Frode Petterson <frode.andre.petterson@gmail.com>
Date: Fri, 18 Sep 2015 12:55:58 +0200
Subject: [PATCH] Prevent use of files that belongs to other content.

---
 h5p.classes.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/h5p.classes.php b/h5p.classes.php
index d4aed45..644eeed 100644
--- a/h5p.classes.php
+++ b/h5p.classes.php
@@ -2823,6 +2823,12 @@ class H5PContentValidator {
 
   // Validate a filelike object, such as video, image, audio and file.
   private function _validateFilelike(&$file, $semantics, $typevalidkeys = array()) {
+    // Do not allow to use files from other content folders.
+    $matches = array();
+    if (preg_match('/^(\.\.\/){1,2}(\d+|editor)\/(.+)$/', $file->path, $matches)) {
+      $file->path = $matches[3];
+    }
+
     // Make sure path and mime does not have any special chars
     $file->path = htmlspecialchars($file->path, ENT_QUOTES, 'UTF-8', FALSE);
     if (isset($file->mime)) {