update

microweber · Dec 5, 2022 · 0d279ac · 0d279ac
1 parent babf280
commit 0d279ac
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/src/MicroweberPackages/App/functions/other.php b/src/MicroweberPackages/App/functions/other.php
@@ -1211,3 +1211,17 @@ function mergeScreenshotParts($files, $outputFilename = 'full-screenshot.png')
         imagepng($targetImage, $outputFilename, 8);
     }
 }
+if (!function_exists('sanitize_path')) {
+
+    function sanitize_path($path)
+    {
+        $path = str_replace('..', '', $path);
+        $path = str_replace('./', '', $path);
+        $path = str_replace('.\\', '', $path);
+        $path = str_replace(';', '', $path);
+        $path = str_replace('&&', '', $path);
+        $path = str_replace('|', '', $path);
+        $path = str_replace('>', '', $path);
+        return $path;
+    }
+}
diff --git a/src/MicroweberPackages/App/functions/plupload.php b/src/MicroweberPackages/App/functions/plupload.php
@@ -285,8 +285,7 @@
     //$path = str_replace('%25252F','/',$path);
 
     $path = normalize_path($path, 0);
-
-    $path = str_replace('..', '', $path);
+    $path = sanitize_path($path);
     $path = str_replace($path_restirct, '', $path);
 
     // $target_path = userfiles_path() . DS . $path;