TPS/birzha
TPS
/
birzha
5
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix issue with image resizer URLs that contain URL-encoded characters (i.e. spaces) 

Don't double decode the URL when validating it because the routing engine already decoded it once
This commit is contained in:
Luke Towers 2020-09-19 14:07:23 -06:00
parent 15ca68c22d
commit 0101e1f96b
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
modules/system/classes/ImageResizer.php
View File

@ -483,7 +483,7 @@ class ImageResizer
{
// Slashes in URL params have to be double encoded to survive Laravel's router
// @see https://github.com/octobercms/october/issues/3592#issuecomment-671017380
$resizedUrl = urlencode(urlencode($this->getResizedUrl()));
$resizedUrl = rawurlencode(rawurlencode($this->getResizedUrl()));
// Get the current configuration's identifier
$identifier = $this->getIdentifier();
@ -571,14 +571,14 @@ class ImageResizer
// Process a string
} elseif (is_string($image)) {
// Parse the provided image path into a filesystem ready relative path
$relativePath = static::normalizePath(urldecode(parse_url($image, PHP_URL_PATH)));
$relativePath = static::normalizePath(rawurldecode(parse_url($image, PHP_URL_PATH)));
// Loop through the sources available to the application to pull from
// to identify the source most likely to be holding the image
$resizeSources = static::getAvailableSources();
foreach ($resizeSources as $source => $details) {
// Normalize the source path
$sourcePath = static::normalizePath(urldecode(parse_url($details['path'], PHP_URL_PATH)));
$sourcePath = static::normalizePath(rawurldecode(parse_url($details['path'], PHP_URL_PATH)));
// Identify if the current source is a match
if (starts_with($relativePath, $sourcePath)) {
@ -727,7 +727,7 @@ class ImageResizer
{
// Slashes in URL params have to be double encoded to survive Laravel's router
// @see https://github.com/octobercms/october/issues/3592#issuecomment-671017380
$decodedUrl = urldecode(urldecode($encodedUrl));
$decodedUrl = rawurldecode($encodedUrl);
$url = null;
// The identifier should be the signed version of the decoded URL