When you add the following route:
presta_image: resource: "@PrestaImageBundle/Resources/config/routing.yaml"
You create a severe vulnerability, because the route presta_image_url_to_base64 use a file_get_contents(string $content).
If you execute curl -X POST -d 'url=/etc/passwd' https://site.tld/url_to_base64 for example, you will retrieve the contents of /etc/passwd (if applicable).
Possible fix to check in the contentToBase64 method if contents is a image?
When you add the following route:
presta_image: resource: "@PrestaImageBundle/Resources/config/routing.yaml"
You create a severe vulnerability, because the route presta_image_url_to_base64 use a file_get_contents(string $content).
If you execute
curl -X POST -d 'url=/etc/passwd' https://site.tld/url_to_base64
for example, you will retrieve the contents of /etc/passwd (if applicable).Possible fix to check in the contentToBase64 method if contents is a image?