Fix pathing issue in media manager (#3604)

Fix pathing issue in media manager Currently there is a way to manipulate folder names using the request headers for the medafinder folder path. since `validatePath` does not validate file names but rather only validates the existence of a folder in a parent/subdirectory. We can utilize `validateFileName` to verify if the name of the folder path being created is valid during the folder creation process and the name applying process.
2018-06-22 02:35:33 -04:00 · 2018-06-22 02:35:33 -04:00 · 0eac53bdd1
parent c46dc38ed1
commit 0eac53bdd1
1 changed files with 16 additions and 0 deletions
--- a/modules/backend/widgets/MediaManager.php
+++ b/modules/backend/widgets/MediaManager.php
@ -335,6 +335,14 @@ class MediaManager extends WidgetBase
        }

        $originalPath = Input::get('originalPath');
+        
+        $segments = explode('/', $originalPath);
+        $regexPath = $segments[count($segments)-1];
+
+        if($originalPath != '/' && !$this->validateFileName($regexPath)) {
+            throw new ApplicationException(Lang::get('system::lang.media.invalid_path', compact('originalPath')));
+        }
+        
        $originalPath = MediaLibrary::validatePath($originalPath);
        $newPath = dirname($originalPath).'/'.$newName;
        $type = Input::get('type');
@ -386,6 +394,14 @@ class MediaManager extends WidgetBase
        }

        $path = Input::get('path');
+        
+        $segments = explode('/', $path);
+        $regexPath = $segments[count($segments)-1];
+
+        if($path != '/' && !$this->validateFileName($regexPath)) {
+            throw new ApplicationException(Lang::get('system::lang.media.invalid_path', compact('path')));
+        }
+        
        $path = MediaLibrary::validatePath($path);

        $newFolderPath = $path.'/'.$name;