fix: arbitrary lfi on wish image

This commit is contained in:
Niklas Bittner 2024-02-25 22:38:56 +01:00 committed by Jay Trees
parent 212c4754ee
commit 2751bb2028

View file

@ -339,7 +339,7 @@ class Wish
<?php if (file_exists(ROOT . $this->image)) { ?> <?php if (file_exists(ROOT . $this->image)) { ?>
<?= file_get_contents(ROOT . $this->image) ?> <?= file_get_contents(ROOT . $this->image) ?>
<?php } else { ?> <?php } else { ?>
<?= file_get_contents($this->image) ?> <?= file_get_contents(ROOT . self::NO_IMAGE) ?>
<?php } ?> <?php } ?>
<?php } else { ?> <?php } else { ?>
<img class="preview" src="<?= $this->image ?>" loading="lazy" /> <img class="preview" src="<?= $this->image ?>" loading="lazy" />