diff options
| author | Greg Roach <greg@subaqua.co.uk> | 2024-01-03 16:28:04 +0000 |
|---|---|---|
| committer | Greg Roach <greg@subaqua.co.uk> | 2024-01-03 16:28:04 +0000 |
| commit | a1bd562d15d6654c7f635d5f296b83f5d866e1cb (patch) | |
| tree | 210e1d2b80695b3cd0ffe6f51282b86a586da184 /app/Http/RequestHandlers/AdminMediaFileThumbnail.php | |
| parent | aa4d6f535649f5cf2dc8a9e022e559dbdbeeb582 (diff) | |
| download | webtrees-a1bd562d15d6654c7f635d5f296b83f5d866e1cb.tar.gz webtrees-a1bd562d15d6654c7f635d5f296b83f5d866e1cb.tar.bz2 webtrees-a1bd562d15d6654c7f635d5f296b83f5d866e1cb.zip | |
Add validation to media-folder parameter
Diffstat (limited to 'app/Http/RequestHandlers/AdminMediaFileThumbnail.php')
| -rw-r--r-- | app/Http/RequestHandlers/AdminMediaFileThumbnail.php | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/app/Http/RequestHandlers/AdminMediaFileThumbnail.php b/app/Http/RequestHandlers/AdminMediaFileThumbnail.php index 11298382ab..f940be4f86 100644 --- a/app/Http/RequestHandlers/AdminMediaFileThumbnail.php +++ b/app/Http/RequestHandlers/AdminMediaFileThumbnail.php @@ -19,7 +19,10 @@ declare(strict_types=1); namespace Fisharebest\Webtrees\Http\RequestHandlers; +use Fisharebest\Webtrees\Http\Exceptions\HttpBadRequestException; +use Fisharebest\Webtrees\I18N; use Fisharebest\Webtrees\Registry; +use Fisharebest\Webtrees\Services\MediaFileService; use Fisharebest\Webtrees\Validator; use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface; @@ -30,6 +33,16 @@ use Psr\Http\Server\RequestHandlerInterface; */ class AdminMediaFileThumbnail implements RequestHandlerInterface { + private MediaFileService $media_file_service; + + /** + * @param MediaFileService $media_file_service + */ + public function __construct(MediaFileService $media_file_service) + { + $this->media_file_service = $media_file_service; + } + /** * Show an image/thumbnail, with/without a watermark. * @@ -42,6 +55,14 @@ class AdminMediaFileThumbnail implements RequestHandlerInterface $filesystem = Registry::filesystem()->data(); $path = Validator::queryParams($request)->string('path'); - return Registry::imageFactory()->thumbnailResponse($filesystem, $path, 120, 120, 'contain'); + $media_folders = $this->media_file_service->allMediaFolders($filesystem)->all(); + + foreach ($media_folders as $media_folder) { + if (str_starts_with($path, $media_folder)) { + return Registry::imageFactory()->thumbnailResponse($filesystem, $path, 120, 120, 'contain'); + } + } + + throw new HttpBadRequestException(I18N::translate('The parameter “path” is invalid.')); } } |
