fix: Validate filename in _file_put_contents and update uploadPoster to use internal path for thumbnails

Daniel Neto · Daniel Neto · commit 6bd286a98e02 · 2026-04-03T23:22:49.000-03:00
diff --git a/objects/functionsFile.php b/objects/functionsFile.php
@@ -810,6 +810,10 @@ function getTmpFile()
 
 function _file_put_contents($filename, $data, $flags = 0, $context = null)
 {
+    if (!is_string($filename) || trim($filename) === '') {
+        _error_log("_file_put_contents: empty filename");
+        return false;
+    }
     make_path($filename);
     if (!is_string($data)) {
         $data = _json_encode($data);
diff --git a/plugin/Live/uploadPoster.json.php b/plugin/Live/uploadPoster.json.php
@@ -44,8 +44,8 @@
         // SECURITY: Use internal path for file operations but don't expose to API
         $internalPathThumbs = $global['systemRootPath'] . Live::_getPosterThumbsImage(User::getId(), $live_servers_id, $posterType);
 
-        _error_log("removePoster.php ({$obj->pathThumbs}) unlink line=" . __LINE__);
-        @unlink($obj->pathThumbs);
+        _error_log("removePoster.php ({$internalPathThumbs}) unlink line=" . __LINE__);
+        @unlink($internalPathThumbs);
         $obj->error = false;
     }
 }
@@ -63,10 +63,9 @@
     }
 
     if (!empty($jsonTargetImagePath)) {
-        $obj->jsonFile = str_replace('.jpg', '.json', $jsonTargetImagePath);
-        $obj->jsonFileBytes = _file_put_contents($obj->jsonFile, $o);
+        $jsonFilePath = str_replace('.jpg', '.json', $jsonTargetImagePath);
+        $obj->jsonFileBytes = _file_put_contents($jsonFilePath, $o);
     } else {
-        $obj->jsonFile = '';
         $obj->jsonFileBytes = false;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,8 @@`
`44`	`44`	`// SECURITY: Use internal path for file operations but don't expose to API`
`45`	`45`	`$internalPathThumbs = $global['systemRootPath'] . Live::_getPosterThumbsImage(User::getId(), $live_servers_id, $posterType);`
`46`	`46`
`47`		`- _error_log("removePoster.php ({$obj->pathThumbs}) unlink line=" . __LINE__);`
`48`		`- @unlink($obj->pathThumbs);`
	`47`	`+ _error_log("removePoster.php ({$internalPathThumbs}) unlink line=" . __LINE__);`
	`48`	`+ @unlink($internalPathThumbs);`
`49`	`49`	`$obj->error = false;`
`50`	`50`	`}`
`51`	`51`	`}`
`@@ -63,10 +63,9 @@`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`if (!empty($jsonTargetImagePath)) {`
`66`		`- $obj->jsonFile = str_replace('.jpg', '.json', $jsonTargetImagePath);`
`67`		`- $obj->jsonFileBytes = _file_put_contents($obj->jsonFile, $o);`
	`66`	`+ $jsonFilePath = str_replace('.jpg', '.json', $jsonTargetImagePath);`
	`67`	`+ $obj->jsonFileBytes = _file_put_contents($jsonFilePath, $o);`
`68`	`68`	`} else {`
`69`		`- $obj->jsonFile = '';`
`70`	`69`	`$obj->jsonFileBytes = false;`
`71`	`70`	`}`
`72`	`71`	`}`