Merge pull request #202 from creative-commoners/pulls/2.0/escape-file…

…-execution FIX Escape file path before loading file from filesystem
silverstripe · Dec 7, 2017 · bcf2ac9 · bcf2ac9
2 parents 82a8a4b + 8efedf3
commit bcf2ac9
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/code/model/DMSDocument_Controller.php b/code/model/DMSDocument_Controller.php
@@ -82,14 +82,15 @@ public function index(SS_HTTPRequest $request)
                         $finfo = finfo_open(FILEINFO_MIME_TYPE);
                         $mime = finfo_file($finfo, $path);
                     } elseif (is_executable($fileBin)) {
+                        $path = escapeshellarg($path);
                         // try to use the system tool
                         $mime = `$fileBin -i -b $path`;
                         $mime = explode(';', $mime);
                         $mime = trim($mime[0]);
                     } else {
                         // make do with what we have
                         $ext = $doc->getExtension();
-                        if ($ext =='pdf') {
+                        if ($ext == 'pdf') {
                             $mime = 'application/pdf';
                         } elseif ($ext == 'html' || $ext =='htm') {
                             $mime = 'text/html';