TALOS-2023-1881

CVE-2023-49738
2025-10-03 01:39:24 +02:00 · 2023-12-15 11:27:32 -03:00 · 2023-12-15 11:27:32 -03:00 · fb2372b191
commit fb2372b191
parent 2792f538ce
2 changed files with 10 additions and 1 deletions
--- a/view/img/image404.php
+++ b/view/img/image404.php
@ -70,6 +70,12 @@ if(ImagesPlaceHolders::isDefaultImage($file)){
 }else{
    header("HTTP/1.0 200 OK");
 }
+
+$imageInfo = getimagesize($file);
+if (empty($imageInfo)) {
+    die('not image');
+}
+
 header('Content-Type:' . $type);
 header('Content-Length: ' . filesize($file));
 readfile($file);
--- a/view/img/image404Raw.php
+++ b/view/img/image404Raw.php
@ -10,9 +10,12 @@ if($imageURL == 'favicon.ico'){
 }

 if (file_exists($imgLocalFile)) {
+    $imageInfo = getimagesize($imgLocalFile);
+    if (empty($imageInfo)) {
+        die('not image');
+    }
    // Determine the content type based on the file extension
    $fileExtension = strtolower(pathinfo($imgLocalFile, PATHINFO_EXTENSION));
-
    switch ($fileExtension) {
        case 'jpg':
        case 'jpeg':