summaryrefslogtreecommitdiff
path: root/app/Http/RequestHandlers/AdminMediaFileThumbnail.php
diff options
context:
space:
mode:
authorGreg Roach <greg@subaqua.co.uk>2024-01-03 16:28:04 +0000
committerGreg Roach <greg@subaqua.co.uk>2024-01-03 16:28:04 +0000
commita1bd562d15d6654c7f635d5f296b83f5d866e1cb (patch)
tree210e1d2b80695b3cd0ffe6f51282b86a586da184 /app/Http/RequestHandlers/AdminMediaFileThumbnail.php
parentaa4d6f535649f5cf2dc8a9e022e559dbdbeeb582 (diff)
downloadwebtrees-a1bd562d15d6654c7f635d5f296b83f5d866e1cb.tar.gz
webtrees-a1bd562d15d6654c7f635d5f296b83f5d866e1cb.tar.bz2
webtrees-a1bd562d15d6654c7f635d5f296b83f5d866e1cb.zip
Add validation to media-folder parameter
Diffstat (limited to 'app/Http/RequestHandlers/AdminMediaFileThumbnail.php')
-rw-r--r--app/Http/RequestHandlers/AdminMediaFileThumbnail.php23
1 files changed, 22 insertions, 1 deletions
diff --git a/app/Http/RequestHandlers/AdminMediaFileThumbnail.php b/app/Http/RequestHandlers/AdminMediaFileThumbnail.php
index 11298382ab..f940be4f86 100644
--- a/app/Http/RequestHandlers/AdminMediaFileThumbnail.php
+++ b/app/Http/RequestHandlers/AdminMediaFileThumbnail.php
@@ -19,7 +19,10 @@ declare(strict_types=1);
namespace Fisharebest\Webtrees\Http\RequestHandlers;
+use Fisharebest\Webtrees\Http\Exceptions\HttpBadRequestException;
+use Fisharebest\Webtrees\I18N;
use Fisharebest\Webtrees\Registry;
+use Fisharebest\Webtrees\Services\MediaFileService;
use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
@@ -30,6 +33,16 @@ use Psr\Http\Server\RequestHandlerInterface;
*/
class AdminMediaFileThumbnail implements RequestHandlerInterface
{
+ private MediaFileService $media_file_service;
+
+ /**
+ * @param MediaFileService $media_file_service
+ */
+ public function __construct(MediaFileService $media_file_service)
+ {
+ $this->media_file_service = $media_file_service;
+ }
+
/**
* Show an image/thumbnail, with/without a watermark.
*
@@ -42,6 +55,14 @@ class AdminMediaFileThumbnail implements RequestHandlerInterface
$filesystem = Registry::filesystem()->data();
$path = Validator::queryParams($request)->string('path');
- return Registry::imageFactory()->thumbnailResponse($filesystem, $path, 120, 120, 'contain');
+ $media_folders = $this->media_file_service->allMediaFolders($filesystem)->all();
+
+ foreach ($media_folders as $media_folder) {
+ if (str_starts_with($path, $media_folder)) {
+ return Registry::imageFactory()->thumbnailResponse($filesystem, $path, 120, 120, 'contain');
+ }
+ }
+
+ throw new HttpBadRequestException(I18N::translate('The parameter “path” is invalid.'));
}
}