Fixed an RCE vulnerability

Author: brandonkelly

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Release Notes for Craft CMS 3.x
 
+## Unreleased
+
+- Fixed an RCE vulnerability.
+
 ## 3.9.14 - 2024-12-19 [CRITICAL]
 
 - Fixed an RCE vulnerability.

src/controllers/AssetsController.php

@@ -1197,6 +1197,9 @@ public function actionGenerateTransform(int $transformId = null): Response
         } else {
             $assetId = $this->request->getRequiredBodyParam('assetId');
             $handle = $this->request->getRequiredBodyParam('handle');
+            if (!is_string($handle)) {
+                throw new BadRequestHttpException('Invalid transform handle.');
+            }
             $assetModel = Craft::$app->getAssets()->getAssetById($assetId);
             if ($assetModel === null) {
                 throw new BadRequestHttpException('Invalid asset ID: ' . $assetId);