Mirrors/ICEcoder
2
0
Fork 0
mirror of https://github.com/icecoder/ICEcoder.git synced 2026-03-08 01:26:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Need to establish full $file path first

Browse Source 
Otherwise we won't have a valid fullpath to find $docRoot in
This commit is contained in:
Matt Pass
2014-09-18 10:47:57 +01:00
parent 2ad6f7fbc8
commit 3b0a00af02
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/file-control.php
View File

@@ -18,6 +18,11 @@ $file = str_replace("|","/",strClean(
// Trim any +'s or spaces from the end of file and clear any ../'s
$file = str_replace("../","",rtrim(rtrim($file,'+'),' '));
// Make $file a full path and establish the $fileLoc and $fileName
if (strpos($file,$docRoot)===false && $_GET['action']!="getRemoteFile") {$file=str_replace("|","/",$docRoot.$iceRoot.$file);};
$fileLoc = substr(str_replace($docRoot,"",$file),0,strrpos(str_replace($docRoot,"",$file),"/"));
$fileName = basename($file);
// Die if the file requested isn't something we expect
if(
($_GET['action']!="getRemoteFile" && strpos(realpath($file),realpath($docRoot)) !== 0) ||
@@ -26,11 +31,6 @@ if(
die("alert('Sorry - problem with file requested');</script>");
};
// Make $file a full path and establish the $fileLoc and $fileName
if (strpos($file,$docRoot)===false && $_GET['action']!="getRemoteFile") {$file=str_replace("|","/",$docRoot.$iceRoot.$file);};
$fileLoc = substr(str_replace($docRoot,"",$file),0,strrpos(str_replace($docRoot,"",$file),"/"));
$fileName = basename($file);
// echo ";alert('".xssClean($_GET['action'],"html")." : ".$file."');console.log('".xssClean($_GET['action'],"html")." : ".$file."');";
// If we're due to open a file...