From 15fe43098f530453615d4f80a797d976941fa9cd Mon Sep 17 00:00:00 2001
From: Matt Pass <matt@mattpass.com>
Date: Tue, 16 Sep 2014 18:30:34 +0100
Subject: [PATCH] Cover local and remote files, but avoid LFI

---
 lib/file-control.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/file-control.php b/lib/file-control.php
index 1b71247..d5d73a6 100644
--- a/lib/file-control.php
+++ b/lib/file-control.php
@@ -18,9 +18,12 @@ $file = str_replace("|","/",strClean(
 // Trim any +'s or spaces from the end of file and clear any ../'s
 $file = str_replace("../","",rtrim(rtrim($file,'+'),' '));
 
-// Die if the doc root realpath doesn't match the start of the requested file's realpath
-if(strpos(realpath($file),realpath($docRoot)) !== 0) {
-        die("alert('Sorry - problem with file location & doc root - ".realpath($file)."');</script>");
+// Die if the file requested isn't something we expect
+if(
+        ($_GET['action']!="getRemoteFile" && strpos(realpath($file),realpath($docRoot)) !== 0) ||
+        ($_GET['action']=="getRemoteFile" && strpos($file,"http") !== 0)
+        ) {
+        die("alert('Sorry - problem with file requested');</script>");
 };
 
 // Make $file a full path and establish the $fileLoc and $fileName