Use a strict whitelist for allowed filenames in image folder in style export

author joshuaruesweg <ruesweg@woltlab.com>

Wed, 15 Dec 2021 10:50:25 +0000 (11:50 +0100)

committer joshuaruesweg <ruesweg@woltlab.com>

Wed, 15 Dec 2021 10:50:25 +0000 (11:50 +0100)
author joshuaruesweg <ruesweg@woltlab.com>
Wed, 15 Dec 2021 10:50:25 +0000 (11:50 +0100)
committer joshuaruesweg <ruesweg@woltlab.com>
Wed, 15 Dec 2021 10:50:25 +0000 (11:50 +0100)
diff --git a/wcfsetup/install/files/lib/data/style/StyleEditor.class.php b/wcfsetup/install/files/lib/data/style/StyleEditor.class.php

index 2e87ea2486cbbb3ce0408f8a92e2b2b02ad5d5db..6856f3c32917bafdfcb26c5490feed767014d797 100644 (file)
--- a/wcfsetup/install/files/lib/data/style/StyleEditor.class.php
+++ b/wcfsetup/install/files/lib/data/style/StyleEditor.class.php
@@ -1053,7 +1053,7 @@ class StyleEditor extends DatabaseObjectEditor implements IEditableCachedObject
              $imagesTar = new TarWriter($imagesTarName);
              FileUtil::makeWritable($imagesTarName);
  
-            $regEx = new Regex('^[^\.].+\.(jpg|jpeg|gif|png|svg|ico|json|xml|txt|webp)$', Regex::CASE_INSENSITIVE);
+            $regEx = new Regex('^([a-zA-Z0-9_-]+\.)+(jpg|jpeg|gif|png|svg|ico|json|xml|txt|webp)$', Regex::CASE_INSENSITIVE);
              $iterator = new \RecursiveIteratorIterator(
                  new \RecursiveDirectoryIterator(
                      $this->getAssetPath(),
author	joshuaruesweg <ruesweg@woltlab.com>
	Wed, 15 Dec 2021 10:50:25 +0000 (11:50 +0100)
committer	joshuaruesweg <ruesweg@woltlab.com>
	Wed, 15 Dec 2021 10:50:25 +0000 (11:50 +0100)