fix: added missing CSRF check

thorsten · thorsten · commit caa3a7673d6d · 2026-03-30T12:15:58.000+02:00
diff --git a/phpmyfaq/admin/assets/src/content/editor.ts b/phpmyfaq/admin/assets/src/content/editor.ts
@@ -266,6 +266,9 @@ export const renderEditor = () => {
       ajax: {
         url: './api/media-browser',
         contentType: 'application/json; charset=UTF-8',
+        data: {
+          csrfToken: (document.getElementById('pmf-csrf-token') as HTMLInputElement).value,
+        },
       },
       createNewFolder: false,
       deleteFolder: false,
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/MediaBrowserController.php b/phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/MediaBrowserController.php
@@ -24,6 +24,7 @@
 use phpMyFAQ\Core\Exception;
 use phpMyFAQ\Enums\PermissionType;
 use phpMyFAQ\Filter;
+use phpMyFAQ\Session\Token;
 use phpMyFAQ\Translation;
 use phpMyFAQ\Utils;
 use RecursiveDirectoryIterator;
@@ -58,11 +59,23 @@ public function index(Request $request): JsonResponse|Response
         $action = Filter::filterVar($data->action, FILTER_SANITIZE_SPECIAL_CHARS);
 
         if ($action === 'fileRemove') {
-            $file = Filter::filterVar($data->name, FILTER_SANITIZE_SPECIAL_CHARS);
-            $file = PMF_CONTENT_DIR . '/user/images/' . $file;
+            if (!Token::getInstance($this->container->get(id: 'session'))->verifyToken(
+                'media-browser',
+                $data->csrfToken,
+            )) {
+                return $this->json(['error' => Translation::get(key: 'msgNoPermission')], Response::HTTP_UNAUTHORIZED);
+            }
+
+            $file = basename(Filter::filterVar($data->name, FILTER_SANITIZE_SPECIAL_CHARS));
+            $allowedDir = realpath(PMF_CONTENT_DIR . '/user/images');
+            $targetPath = realpath(PMF_CONTENT_DIR . '/user/images/' . $file);
+
+            if ($targetPath === false || !str_starts_with($targetPath, $allowedDir . DIRECTORY_SEPARATOR)) {
+                return $this->json(['error' => 'Invalid file path'], Response::HTTP_BAD_REQUEST);
+            }
 
-            if (file_exists($file)) {
-                unlink($file);
+            if (file_exists($targetPath)) {
+                unlink($targetPath);
             }
 
             $response = [
diff --git a/tests/phpMyFAQ/Search/SearchDatabaseTest.php b/tests/phpMyFAQ/Search/SearchDatabaseTest.php
@@ -148,7 +148,10 @@ public function testSetAndGetConditionsWithoutConditions()
     public function testGetMatchClause()
     {
         $this->searchDatabase->setMatchingColumns(['faqdata.author']);
-        $this->assertEquals(" (faqdata.author LIKE '%Thorsten%' ESCAPE '\\')", $this->searchDatabase->getMatchClause('Thorsten'));
+        $this->assertEquals(
+            " (faqdata.author LIKE '%Thorsten%' ESCAPE '\\')",
+            $this->searchDatabase->getMatchClause('Thorsten'),
+        );
         $this->assertIsString($this->searchDatabase->getMatchClause('Thorsten'));
     }
 

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,10 @@ public function testSetAndGetConditionsWithoutConditions()`
`148`	`148`	`public function testGetMatchClause()`
`149`	`149`	`{`
`150`	`150`	`$this->searchDatabase->setMatchingColumns(['faqdata.author']);`
`151`		`- $this->assertEquals(" (faqdata.author LIKE '%Thorsten%' ESCAPE '\\')", $this->searchDatabase->getMatchClause('Thorsten'));`
	`151`	`+ $this->assertEquals(`
	`152`	`+ " (faqdata.author LIKE '%Thorsten%' ESCAPE '\\')",`
	`153`	`+ $this->searchDatabase->getMatchClause('Thorsten'),`
	`154`	`+ );`
`152`	`155`	`$this->assertIsString($this->searchDatabase->getMatchClause('Thorsten'));`
`153`	`156`	`}`
`154`	`157`