The $image variable is coming from a get request.
Is it enough to check the left side (line 4 & 5) of the $image request?
Can this be tricked with some escape characters?
If so is there something similar to mysqli_real_escape_string or escapeshellarg() for the ImageCreateFromJpeg() function?
Code: Select all
function ResampleImage($image, $size)
{
authenticate('access_config');
if (substr($image, 0, 7) != 'http://' &&
substr($image, 0, 7) != 'images/') exit();
header('Content-type: image/jpeg');
$extension = substr(strrchr($image, '.'), 1);
$extension = strtolower($extension);
if ($extension == 'jpg') $src_image = @ImageCreateFromJpeg($image) or exit();
elseif ($extension == 'png') $src_image = @ImageCreateFromPng($image) or exit();
elseif ($extension == 'gif') $src_image = @ImageCreateFromGif($image) or exit();
else exit();
// etc…
}