Merge pull request from GHSA-h632-p764-pjqm

Co-authored-by: Mark Lewis <[email protected]>

Author: colinmollenhour

app/code/core/Mage/Catalog/Model/Product/Attribute/Backend/Media.php

@@ -276,6 +276,12 @@ public function addImage(
         $move = false,
         $exclude = true
     ) {
+        if (strpos($file, chr(0)) !== false
+            || preg_match('#(^|[\\\\/])\.\.($|[\\\\/])#', $file)
+        ) {
+            throw new Exception('Detected malicious path or filename input.');
+        }
+
         $file = realpath($file);
 
         if (!$file || !file_exists($file)) {

lib/Varien/Io/File.php

@@ -484,10 +484,17 @@ public function read($filename, $dest = null)
      * @param int $mode
      *
      * @return int|boolean
+     * @throws Exception
      */
     public function write($filename, $src, $mode = null)
     {
-        if (!$this->_isValidSource($src) || !$this->_isFilenameWriteable($filename)) {
+        if (strpos($filename, chr(0)) !== false
+            || preg_match('#(^|[\\\\/])\.\.($|[\\\\/])#', $filename)
+        ) {
+            throw new Exception('Detected malicious path or filename input.');
+        }
+
+        if (!$this->_IsValidSource($src) || !$this->_isFilenameWriteable($filename)) {
             return false;
         }