Add folder verification on delete file/image #2
Conversation
| $upload_folder = "/uploads/"; | ||
|
|
||
| // If the file is inside the uploads folder | ||
| if (substr($src, 0, strlen($upload_folder)) === $upload_folder) |
There was a problem hiding this comment.
This doesn't really fix the problem because the path might be something like this: /uploads/../foo/something_bad_here. Also, this should be done in the SDK, not in the examples.
There was a problem hiding this comment.
Why the user would have something bad in the uploads folder?
The SDK don't have any kind of "users" extensions to check permissions if the user can delete the file, so how should this be handled?
There was a problem hiding this comment.
Inside the SDK when deleting a file, there should be a check to see if the $upload_folder actually contains the file indicated by the path. The easiest way would be to look into the $upload_folder files recursively and compare paths. Again, this should be done in the SDK itself, not here.
Update the example to check if the file to be removed is inside the uploads folder to make sure unwanted files are deleted
Discussion:
froala/wysiwyg-editor-php-sdk#14
Documentation Changes Required:
https://www.froala.com/wysiwyg-editor/docs/sdks/php/file-server-delete
https://www.froala.com/wysiwyg-editor/docs/sdks/php/image-server-delete