G 1.5.1-RC3 - jhead exif data called with -v (exposes path)
|Posted: Mon, 2005-09-05 03:12|
I've noticed that the photo properties in 1.5.1 RC3 now calls jhead with a -v option with the photo properties to display exif data. Not only does this display a huge amount of unnecessary information, it also displays the fully qualified OS path to the file which could possibly be used in a compromise.
This behaviour is in function getExif($file) in util.php (line 1690). Removing the "-v" makes the photo properties function display what you really want