kringkaste
commented
2 years ago Hey, we just released version 2.0 with changed input validation. Thanks for the hint!
Closed kmille closed 2 years ago
kringkaste
commented
2 years ago Hey, we just released version 2.0 with changed input validation. Thanks for the hint!
Hey, in src/controllers/ImageController.php, you read from a file with unsanitized user input. Even if it's not super exploitable as you append static strings I would prefere some user input validation. You can copy/paste from the docs: https://docs.craftcms.com/api/v3/craft-web-response.html#method-sendfile I hope we left the time where you can send null bytes to php with %00.