From 2b0a4df3003b8ebf24716321f191f7dc324325c7 Mon Sep 17 00:00:00 2001
From: Ian <1105372+ophian@users.noreply.github.com>
Date: Sun, 27 Oct 2024 11:29:46 +0100
Subject: [PATCH] images (+API): Add a paranoia termination case for broken
 uploadPath

---
 include/admin/images.inc.php     | 6 ++++++
 include/functions_images.inc.php | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php
index 679869dc4..b74ad95f6 100644
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@@ -8,6 +8,12 @@
     return;
 }
 
+/* IMAGE administration paranoia termination */
+if (empty($serendipity['uploadPath']) || (strlen($serendipity['uploadPath']) > 1 && substr($serendipity['uploadPath'], -1) != '/')) {
+    trigger_error('Whoops! Your serendipity "uploadPath" path variable was not found OR is empty OR its value is not allowed by criteria "x/". This is essential to not read and insert the complete blog or other wrong files into your MediaLibrary. This current operation was terminated to protect your system. The reason for this loss is unknown. Eventually you have to check your serendipity config database table or check the "path" section for the upload directory ("uploads/") and reset/submit the backend configuration. This error termination warning notice was thrown:<br>', E_USER_WARNING);
+    return;
+}
+
 $data = array();
 
 if (!is_object($serendipity['smarty'])) {
diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index e5fcb595b..0a3f0249c 100644
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -3173,6 +3173,11 @@ function serendipity_displayImageList($page = 0, $manage = false, $url = NULL, $
     $start = ($page-1) * $perPage;
 
     if ($serendipity['onTheFlySynch'] && serendipity_checkPermission('adminImagesSync') && $manage && $limit_path === NULL) {
+        /* PRE SYNC paranoia termination in case a plugin or something finds a way to directly access serendipity_displayImageList() */
+        if (empty($serendipity['uploadPath']) || (strlen($serendipity['uploadPath']) > 1 && substr($serendipity['uploadPath'], -1) != '/x')) {
+            trigger_error('Whoops! Your serendipity "uploadPath" path variable was not found OR is empty OR its value is not allowed by criteria "x/". This is essential to not read and insert the complete blog or other wrong files into your MediaLibrary. This current operation was terminated to protect your system. The reason for this loss is unknown. Eventually you have to check your serendipity config database table or check the "path" section for the upload directory ("uploads/") and reset/submit the backend configuration. This error termination warning notice was thrown:<br>', E_USER_WARNING);
+            return 'error'; // dummy string for string return type to display the triggered error
+        }
         ## SYNC START ##
         $aExclude = array('CVS' => true, '.svn' => true, '.git' => true); // removed ", '.v' => true", which allows to place an existing .v/ dir stored AVIF/Webp image variation in the aFilesNoSync array! See media_items.tpl special.pfilename button.
         serendipity_plugin_api::hook_event('backend_media_path_exclude_directories', $aExclude);