marshsu / timthumb

Automatically exported from code.google.com/p/timthumb
0 stars 0 forks source link

getLocalImagePath does not verify docRoot before attempting to locate files beneath #444

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Just had a scenario where someone had incorrectly set the 
$_SERVER[\'DOCUMENT_ROOT\'] variable - but the error reported could have been 
much more specific than "could not find file". Could have been MUCH quicker to 
track down the issue.

Patched line 889 with:
                else if (!is_dir($this->docRoot))
            $this->error('Server path ' . $this->docRoot . ' does not exist! Ensure variable _SERVER[\'DOCUMENT_ROOT\'] is set correctly.');

function now looks like this:

*snip*
protected function getLocalImagePath($src){
        $src = ltrim($src, '/'); //strip off the leading '/'
        if(! $this->docRoot){
            $this->debug(3, "We have no document root set, so as a last resort, lets check if the image is in the current dir and serve that.");
            //We don't support serving images outside the current dir if we don't have a doc root for security reasons.
            $file = preg_replace('/^.*?([^\/\\\\]+)$/', '$1', $src); //strip off any path info and just leave the filename.
            if(is_file($file)){
                return $this->realpath($file);
            }
            return $this->error("Could not find your website document root and the file specified doesn't exist in timthumbs directory. We don't support serving files outside timthumb's directory without a document root for security reasons.");
        } //Do not go past this point without docRoot set
                else if (!is_dir($this->docRoot))
            $this->error('Server path ' . $this->docRoot . ' does not exist! Ensure variable _SERVER[\'DOCUMENT_ROOT\'] is set correctly.');
*snip*

Original issue reported on code.google.com by nimblea...@gmail.com on 15 Apr 2013 at 7:15

GoogleCodeExporter commented 9 years ago

Original comment by BinaryMoon on 27 Sep 2013 at 8:47