Mirrors/ICEcoder
2
0
Fork 0
mirror of https://github.com/icecoder/ICEcoder.git synced 2026-03-03 07:13:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixed checking of banned files

Browse Source
This commit is contained in:
Matt Pass
2019-10-02 08:59:50 +01:00
committed by GitHub
parent 0f5313a58e
commit 3f99e02aac
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/file-control-xhr.php
View File

@@ -70,10 +70,18 @@ if (!$error) {
// Uncomment to alert and console.log the action and file, useful for debugging
// echo ";alert('".xssClean($_GET['action'],"html")." : ".$allFiles[$i]."');console.log('".xssClean($_GET['action'],"html")." : ".$allFiles[$i]."');";
$bannedFileFound = false;
for ($j=0; $j<count($_SESSION['bannedFiles']); $j++) {
$thisFile = str_replace("*","",$_SESSION['bannedFiles'][$j]);
if ($thisFile != "" && strpos($allFiles[$i],$thisFile)!==false) {
$bannedFileFound = true;
}
}
// Die if the file requested isn't something we expect
if(
// On the banned file/dir list
(str_replace("*","",$_SESSION['bannedFiles'][$i]) != "" && strpos($allFiles[$i],str_replace("*","",$_SESSION['bannedFiles'][$i]))!==false) ||
($bannedFileFound) ||
// A local folder that isn't the doc root or starts with the doc root
($_GET['action']!="getRemoteFile" && !isset($ftpSite) &&
rtrim($allFiles[$i],"/") !== rtrim($docRoot,"/") &&