[Thumbnail] Validate media query name

pimcore · Jan 17, 2022 · 6f36e84 · 6f36e84
1 parent d8377fc
commit 6f36e84
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/bundles/AdminBundle/Controller/Admin/SettingsController.php b/bundles/AdminBundle/Controller/Admin/SettingsController.php
@@ -1331,6 +1331,11 @@ public function thumbnailUpdateAction(Request $request)
         });
 
         foreach ($mediaData as $mediaName => $items) {
+
+            if(preg_match('/["<>]/', $mediaName)) {
+                throw new \Exception('Invalid media query name');
+            }
+
             foreach ($items as $item) {
                 $type = $item['type'];
                 unset($item['type']);

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/settings/thumbnail/item.js b/bundles/AdminBundle/Resources/public/js/pimcore/settings/thumbnail/item.js
@@ -216,6 +216,10 @@ pimcore.settings.thumbnail.item = Class.create({
             name = '(max-width: ' + name.replace("w", "") + 'px)';
         }
 
+        if(name.match(/["<>]/)) {
+            return;
+        }
+
         if (this.medias[name]) {
             return;
         }