images (+API): Add a paranoia termination case for broken uploadPath

ophian · Oct 27, 2024 · 2b0a4df · 2b0a4df
1 parent 823c528
commit 2b0a4df
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php
@@ -8,6 +8,12 @@
     return;
 }
 
+/* IMAGE administration paranoia termination */
+if (empty($serendipity['uploadPath']) || (strlen($serendipity['uploadPath']) > 1 && substr($serendipity['uploadPath'], -1) != '/')) {
+    trigger_error('Whoops! Your serendipity "uploadPath" path variable was not found OR is empty OR its value is not allowed by criteria "x/". This is essential to not read and insert the complete blog or other wrong files into your MediaLibrary. This current operation was terminated to protect your system. The reason for this loss is unknown. Eventually you have to check your serendipity config database table or check the "path" section for the upload directory ("uploads/") and reset/submit the backend configuration. This error termination warning notice was thrown:<br>', E_USER_WARNING);
+    return;
+}
+
 $data = array();
 
 if (!is_object($serendipity['smarty'])) {

diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
@@ -3173,6 +3173,11 @@ function serendipity_displayImageList($page = 0, $manage = false, $url = NULL, $
     $start = ($page-1) * $perPage;
 
     if ($serendipity['onTheFlySynch'] && serendipity_checkPermission('adminImagesSync') && $manage && $limit_path === NULL) {
+        /* PRE SYNC paranoia termination in case a plugin or something finds a way to directly access serendipity_displayImageList() */
+        if (empty($serendipity['uploadPath']) || (strlen($serendipity['uploadPath']) > 1 && substr($serendipity['uploadPath'], -1) != '/x')) {
+            trigger_error('Whoops! Your serendipity "uploadPath" path variable was not found OR is empty OR its value is not allowed by criteria "x/". This is essential to not read and insert the complete blog or other wrong files into your MediaLibrary. This current operation was terminated to protect your system. The reason for this loss is unknown. Eventually you have to check your serendipity config database table or check the "path" section for the upload directory ("uploads/") and reset/submit the backend configuration. This error termination warning notice was thrown:<br>', E_USER_WARNING);
+            return 'error'; // dummy string for string return type to display the triggered error
+        }
         ## SYNC START ##
         $aExclude = array('CVS' => true, '.svn' => true, '.git' => true); // removed ", '.v' => true", which allows to place an existing .v/ dir stored AVIF/Webp image variation in the aFilesNoSync array! See media_items.tpl special.pfilename button.
         serendipity_plugin_api::hook_event('backend_media_path_exclude_directories', $aExclude);