git.shiar.nl / minimedit.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
thumb: validate path before extracting missing parts
[minimedit.git] / thumb / index.php
diff --git a/thumb/index.php b/thumb/index.php
index d296fbf1560e0f4d339912fa7e9aa6f8c5f575b9..7de4f456939152bd931f61a15094b4a061ebbe08 100644 (file)
--- a/thumb/index.php
+++ b/thumb/index.php
@@ -1,5 +1,10 @@
 <?php
-list ($size, $imgpath) = explode('/', ltrim($Args, '/'), 2);
+if (!$User) return;
+$imgpath = ltrim($Page->path, '/');
+if (!preg_match('{^[0-9x]+/}', $imgpath)) {
+       return;
+}
+list ($size, $imgpath) = explode('/', $imgpath, 2);
 $imgpath = preg_replace('{^(?=[0-9]+/)}', 'data/', $imgpath, 1);
 
 if (!file_exists($imgpath)) {
@@ -90,6 +95,7 @@ function mkthumb_exec($source, $target, $width, $height)
                '-delete', '1--1', # static
                '-trim',
                '-background', 'white', '-layers', 'flatten', # opaque
+               '-auto-orient', # apply exif rotation
                '-interlace', 'plane', # progressive
                '-strip', '-taint', # omit metadata
                '-sampling-factor', '4:2:0', '-colorspace', 'sRGB', # half chroma
MinimEdit - databaseless cms with only a bit of php