From 6189d2670cb397e99f4f35bf1f0c0258a579a8ed Mon Sep 17 00:00:00 2001 From: Andrew Bauer Date: Wed, 25 Jan 2017 09:05:34 -0600 Subject: [PATCH] ZM_DIR_EVENTS can be, and often is, a symlink --- web/views/image.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/web/views/image.php b/web/views/image.php index df454d792..bb9335353 100644 --- a/web/views/image.php +++ b/web/views/image.php @@ -79,8 +79,10 @@ if ( empty($_REQUEST['path']) ) $errorText = "No image path"; } } else { - $path = realpath(ZM_DIR_EVENTS . '/' . $_REQUEST['path']); - if(strpos($path, ZM_DIR_EVENTS) == 0 && strpos($path, ZM_DIR_EVENTS) === true) { + $dir_events = realpath(ZM_DIR_EVENTS); + $path = realpath($dir_events . '/' . $_REQUEST['path']); + + if(strpos($path, $dir_events) == 0) { if ( !empty($user['MonitorIds']) ) { $imageOk = false; $pathMonId = substr( $path, 0, strspn( $path, "1234567890" ) );