Mirrors/ICEcoder
2
0
Fork 0
mirror of https://github.com/icecoder/ICEcoder.git synced 2026-03-03 07:13:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

Cover local and remote files, but avoid LFI

Browse Source
This commit is contained in:
Matt Pass
2014-09-16 18:30:34 +01:00
parent 05de070294
commit 15fe43098f
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/file-control.php
View File

@@ -18,9 +18,12 @@ $file = str_replace("|","/",strClean(
// Trim any +'s or spaces from the end of file and clear any ../'s
$file = str_replace("../","",rtrim(rtrim($file,'+'),' '));
// Die if the doc root realpath doesn't match the start of the requested file's realpath
if(strpos(realpath($file),realpath($docRoot)) !== 0) {
die("alert('Sorry - problem with file location & doc root - ".realpath($file)."');</script>");
// Die if the file requested isn't something we expect
if(
($_GET['action']!="getRemoteFile" && strpos(realpath($file),realpath($docRoot)) !== 0) ||
($_GET['action']=="getRemoteFile" && strpos($file,"http") !== 0)
) {
die("alert('Sorry - problem with file requested');</script>");
};
// Make $file a full path and establish the $fileLoc and $fileName