From: Mischa POSLAWSKY <perl@shiar.org>
Date: Sun, 27 Dec 2020 01:36:04 +0000 (+0100)
Subject: thumb: validate path before extracting missing parts
X-Git-Tag: v5.1~20
X-Git-Url: http://git.shiar.nl/minimedit.git/commitdiff_plain/c1e16f04396f7f76f94f0ef6bbaadc33be20a60e

thumb: validate path before extracting missing parts

Silence PHP warning about undefined offset on invalid requests.
---

diff --git a/thumb/index.php b/thumb/index.php
index a6b5bd7..7de4f45 100644
--- a/thumb/index.php
+++ b/thumb/index.php
@@ -1,6 +1,10 @@
 <?php
 if (!$User) return;
-list ($size, $imgpath) = explode('/', ltrim($Page->path, '/'), 2);
+$imgpath = ltrim($Page->path, '/');
+if (!preg_match('{^[0-9x]+/}', $imgpath)) {
+	return;
+}
+list ($size, $imgpath) = explode('/', $imgpath, 2);
 $imgpath = preg_replace('{^(?=[0-9]+/)}', 'data/', $imgpath, 1);
 
 if (!file_exists($imgpath)) {