From 676d43008579112afe18d0277f0845f8df8f92ce Mon Sep 17 00:00:00 2001
From: kmorimatsu <kmorimatsu@1ca29b6e-896d-4ea0-84a5-967f57386b96>
Date: Tue, 16 Dec 2008 00:50:07 +0000
Subject: [PATCH 1/1] MEDIA::isValidCollection()

git-svn-id: https://svn.sourceforge.jp/svnroot/nucleus-jp/nucleus-jp/trunk@727 1ca29b6e-896d-4ea0-84a5-967f57386b96
---
 utf8/nucleus/libs/MEDIA.php | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/utf8/nucleus/libs/MEDIA.php b/utf8/nucleus/libs/MEDIA.php
index 12d5b54..7347af1 100755
--- a/utf8/nucleus/libs/MEDIA.php
+++ b/utf8/nucleus/libs/MEDIA.php
@@ -99,17 +99,30 @@ class MEDIA {
 	  * checks if a collection exists with the given name, and if it's
 	  * allowed for the currently logged in member to upload files to it
 	  */
-	function isValidCollection($collectionName) {
-		global $member, $DIR_MEDIA;
-
-		// private collections only accept uploads from their owners
-		if (is_numeric($collectionName))
-			return ($member->getID() == $collectionName);
-
-		// other collections should exists and be writable
-		$collectionDir = $DIR_MEDIA . $collectionName;
-		return (@is_dir($collectionDir) || @is_writable($collectionDir));
-	}
+	function isValidCollection($collectionName) {
+		global $member, $DIR_MEDIA;
+
+		// allow creating new private directory
+		if (preg_match('#^[0-9]+[/\\\\]?$#',$collectionName))
+			return ((int)$member->getID() == (int)$collectionName);
+
+		// avoid directory traversal
+		// note that preg_replace() is requred to remove the last "/" or "\" if exists
+		$media = realpath($DIR_MEDIA);
+		$media = preg_replace('#[/\\\\]+$#','',$media);
+		$collectionDir = realpath( $DIR_MEDIA . $collectionName );
+		$collectionDir = preg_replace('#[/\\\\]+$#','',$collectionDir);
+		if (strpos($collectionDir,$media)!==0 || $collectionDir == $media) return false;
+
+		// private collections only accept uploads from their owners
+		// The "+1" of "strlen($media)+1" corresponds to "/" or "\".
+		$collectionName=substr($collectionDir,strlen($media)+1);
+		if (preg_match('/^[0-9]+$/',$collectionName))
+			return ((int)$member->getID() == (int)$collectionName);
+
+		// other collections should exists and be writable
+		return (@is_dir($collectionDir) && @is_writable($collectionDir));
+	}
 
 	/**
 	  * Adds an uploaded file to the media archive
-- 
2.11.0