Don't do a final move for invalid/malicious files. See #333.

salesagility · Aug 7, 2015 · a4a1884 · a4a1884
1 parent b2e2bee
commit a4a1884
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/modules/Configurator/UploadFileCheck.php b/modules/Configurator/UploadFileCheck.php
@@ -60,6 +60,13 @@
     if($upload->confirm_upload()) {
         $upload_dir  = 'upload://' . $upload_path;
         UploadStream::ensureDir($upload_dir);
+        if(!verify_uploaded_image($upload->temp_file_location, $returnArray['forQuotes'] == 'quotes')){
+            $returnArray['data']='other';
+            $returnArray['path'] = '';
+            echo $json->encode($returnArray);
+            sugar_cleanup();
+            exit();
+        }
         $file_name = $upload_dir."/".$upload->get_stored_file_name();
         if($upload->final_move($file_name)) {
             $upload_ok = true;