*
*/
class CRM_Contact_Page_ImageFile extends CRM_Core_Page {
- function run(){
- $currentURL = CRM_Utils_System::makeURL(NULL, FALSE, FALSE, NULL, TRUE);
- $sql = "SELECT id FROM civicrm_contact WHERE image_url=%1;";
- $params = array(1 => array($currentURL, 'String'));
+ function run() {
+ if (!preg_match('/^[^\/]+\.(jpg|jpeg|png|gif)$/i', $_GET['photo'])) {
+ CRM_Core_Error::fatal('Malformed photo name');
+ }
+
+ // FIXME Optimize performance of image_url query
+ $sql = "SELECT id FROM civicrm_contact WHERE image_url like %1;";
+ $params = array(
+ 1 => array("%" . $_GET['photo'], 'String')
+ );
$dao = CRM_Core_DAO::executeQuery($sql, $params);
- while ($dao->fetch()){
- $cid=$dao->id;
+ while ($dao->fetch()) {
+ $cid = $dao->id;
}
- if ($cid){
- $config = CRM_Core_Config::singleton();
- $buffer = file_get_contents($config->customFileUploadDir . $_GET['photo']);
- $mimeType = 'image/' .pathinfo($_GET['photo'], PATHINFO_EXTENSION);
- CRM_Utils_System::download($_GET['photo'], $mimeType, $buffer,
+ if ($cid) {
+ $config = CRM_Core_Config::singleton();
+ $buffer = file_get_contents($config->customFileUploadDir . $_GET['photo']);
+ $mimeType = 'image/' . pathinfo($_GET['photo'], PATHINFO_EXTENSION);
+ CRM_Utils_System::download($_GET['photo'], $mimeType, $buffer,
NULL,
- TRUE,
- 'inline'
+ TRUE,
+ 'inline'
);
+ CRM_Utils_System::civiExit();
}
- else{
- echo 'image url not in database';
+ else {
+ CRM_Core_Error::fatal('Photo does not exist');
}
- CRM_Utils_System::civiExit();
}
}
projects / civicrm-core.git / commitdiff