Closed dleffler closed 3 years ago
Looks like the assorted preg_replace in that function should all be wrapped with preg_quote, as in change (for example)
$newfilename = preg_replace('#^\\.'.DIRECTORY_SEPARATOR.'#', '', $newfilename);
to
$newfilename = preg_replace('#^\\.'.preg_quote(DIRECTORY_SEPARATOR).'#', '', $newfilename);
etc
Do you agree with that fix? https://github.com/JamesHeinrich/phpThumb/commit/0ff5b371d18c9e8ec0eb6474b069cae5372b0547
While this fix indeed removes the warnings, it now creates a bad path since the test in the first part of the function
if (!preg_match('#^'.preg_quote(DIRECTORY_SEPARATOR).'#', $newfilename)) {
$newfilename = __DIR__ .DIRECTORY_SEPARATOR.$newfilename;
}
will create a bad path since it may/will be passed a full windows path with drive letter and the test is for a path beginning with a backslash, and if so will add the file directory path creating something like
K:\UwAmp\www\exp2\external\phpThumb\K:\UwAmp\www\exp2
Note the K: is included twice
There are issues when using phpThumb on a Windows server since the DIRECTORY_SEPARATOR is the same symbol
\
used to escape key characters in regex patterns...therefore the regex pattern becomes corrupted.