Bug - realPathSafe() issues on Windows servers

[dleffler]

There are issues when using phpThumb on a Windows server since the DIRECTORY_SEPARATOR is the same symbol \ used to escape key characters in regex patterns...therefore the regex pattern becomes corrupted.

PHP Warning:  preg_replace(): No ending delimiter '#' found in K:\\UwAmp\\www\\exp2\\external\\phpThumb\\phpthumb.class.php on line 1259, 1269, 1272, 1278

[JamesHeinrich]

Looks like the assorted preg_replace in that function should all be wrapped with preg_quote, as in change (for example) $newfilename = preg_replace('#^\\.'.DIRECTORY_SEPARATOR.'#', '', $newfilename); to $newfilename = preg_replace('#^\\.'.preg_quote(DIRECTORY_SEPARATOR).'#', '', $newfilename); etc

Do you agree with that fix? https://github.com/JamesHeinrich/phpThumb/commit/0ff5b371d18c9e8ec0eb6474b069cae5372b0547

[dleffler]

While this fix indeed removes the warnings, it now creates a bad path since the test in the first part of the function

        if (!preg_match('#^'.preg_quote(DIRECTORY_SEPARATOR).'#', $newfilename)) {
            $newfilename =  __DIR__ .DIRECTORY_SEPARATOR.$newfilename;
        }

will create a bad path since it may/will be passed a full windows path with drive letter and the test is for a path beginning with a backslash, and if so will add the file directory path creating something like

K:\UwAmp\www\exp2\external\phpThumb\K:\UwAmp\www\exp2

Note the K: is included twice

[JamesHeinrich]

Try with https://github.com/JamesHeinrich/phpThumb/commit/88cc3bb7993dcc271dba7205301acbbae8306d10