lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-14 12:30:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix some potential security hazards

Browse Source
This commit is contained in:
xiaomlove
2023-05-20 00:17:17 +08:00
parent 167af06cfa
commit fa95279e66
11 changed files with 16 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
public/attachment.php
View File

@@ -230,7 +230,7 @@ if ($Attach->enable_attachment())
$dlkey = md5($db_file_location.".".$ext);
sql_query("INSERT INTO attachments (userid, width, added, filename, filetype, filesize, location, dlkey, isimage, thumb) VALUES (".$CURUSER['id'].", ".$width.", ".sqlesc(date("Y-m-d H:i:s")).", ".sqlesc($origfilename).", ".sqlesc($filetype).", ".$filesize.", ".sqlesc($db_file_location.".".$ext).", ".sqlesc($dlkey).", ".($isimage ? 1 : 0).", ".($hasthumb ? 1 : 0).")") or sqlerr(__FILE__, __LINE__);
$count_left--;
if (!empty($_REQUEST['callback_func'])) {
if (!empty($_REQUEST['callback_func']) && preg_match('/^preview_custom_field_image_\d+$/', $_REQUEST['callback_func'])) {
$url = $httpdirectory_attachment."/".$db_file_location . ".$ext";
if ($hasthumb) {
$url .= ".thumb.jpg";