Prevent use of files that belongs to other content.

pull/6/head
Frode Petterson 2015-09-18 12:55:58 +02:00
parent 742339ba8f
commit 8e3d78a2f6
1 changed files with 6 additions and 0 deletions

View File

@ -2823,6 +2823,12 @@ class H5PContentValidator {
// Validate a filelike object, such as video, image, audio and file. // Validate a filelike object, such as video, image, audio and file.
private function _validateFilelike(&$file, $semantics, $typevalidkeys = array()) { private function _validateFilelike(&$file, $semantics, $typevalidkeys = array()) {
// Do not allow to use files from other content folders.
$matches = array();
if (preg_match('/^(\.\.\/){1,2}(\d+|editor)\/(.+)$/', $file->path, $matches)) {
$file->path = $matches[3];
}
// Make sure path and mime does not have any special chars // Make sure path and mime does not have any special chars
$file->path = htmlspecialchars($file->path, ENT_QUOTES, 'UTF-8', FALSE); $file->path = htmlspecialchars($file->path, ENT_QUOTES, 'UTF-8', FALSE);
if (isset($file->mime)) { if (isset($file->mime)) {