Establish realpath test begins with $docRoot or die

No need to str_replace ../, as that isn't real protection, use realpath instead Always turn into a real path (we'll only pass relative paths here anyway), and change \ to / on Windows setups Only if file exists and begins with the root path do anything, die otherwise
2026-03-03 07:13:59 +01:00 · 2014-09-18 10:57:41 +01:00
parent 3b0a00af02
commit 24ea1b108f
1 changed files with 8 additions and 5 deletions
--- a/lib/github.php
+++ b/lib/github.php
@@ -148,15 +148,18 @@ if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset
 			// Replace pipes with slashes
 			$file = str_replace("|","/",$selectedFiles[$i]);

-			// Trim any +'s or spaces from the end of file and clear any ../'s
-			$file = str_replace("../","",rtrim(rtrim($file,'+'),' '));
+			// Trim any +'s or spaces from the end of file
+			$file = rtrim(rtrim($file,'+'),' ');

-			// Make $file a full path
-			if (strpos($file,$docRoot)===false) {$file=str_replace("|","/",$docRoot.$iceRoot.$file);};
+			// Establish the real absolute path to the file
+			$file = str_replace("\\","/",realpath($docRoot.$iceRoot.$file));

-			if (file_exists($file)) {
+			// Only get the file if it exists and begins with our $docRoot
+			if (file_exists($file) && strpos($file,$docRoot) === 0) {
 				$loadedFile = toUTF8noBOM(file_get_contents($file,false,$context),true);
 				echo '<textarea name="loadedFile'.$i.'" id="loadedFile'.$i.'" style="display: none">'.str_replace("</textarea>","<ICEcoder:/:textarea>",str_replace("&","&amp;",$loadedFile)).'</textarea><br><br>'.PHP_EOL.PHP_EOL;
+			} else {
+				die("<script>alert('Sorry, that file doesn\'t appear to exist');</script>");
 			}
 		}
 		?>