Mirrors/ICEcoder
2
0
Fork 0
mirror of https://github.com/icecoder/ICEcoder.git synced 2026-03-04 15:54:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

Strip ../ so we don't have dir traversal vuln

Browse Source
This commit is contained in:
Matt Pass
2014-04-26 12:24:01 +01:00
parent ec44407e25
commit fa48d0d2f0
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/file-control.php
View File

@@ -14,8 +14,8 @@ $file = str_replace("|","/",strClean(
: $_GET['file']
));
// Trim any +'s or spaces from the end of file
$file = rtrim(rtrim($file,'+'),' ');
// Trim any +'s or spaces from the end of file and clear any ../'s
$file = str_replace("../","",rtrim(rtrim($file,'+'),' '));
// Make $file a full path and establish the $fileLoc and $fileName
if (strpos($file,$docRoot)===false && $_GET['action']!="getRemoteFile") {$file=str_replace("|","/",$docRoot.$iceRoot.$file);};