Matt Pass 670e3c47a6 Don't match ICEcoder path to doc root use basename ...

The 2 x if conditions added a security measure to avoid path traversals,
should languageBase or languageUser ever be set to something malicious
such as (eg ../../../../../../../etc/passwd)

However, it meant that the ICEcoder dir and the doc root dir paths had
to both start the same, and so be in the same location really. It was
previously a benefit to have them possibly contain different paths, but
this security point restricts this.

We can remove these 2 if conditions however and simply wrap the 2 array
values with basename(), so we take only the trailing file name and so
avoid path traversal issues.

2014-11-27 20:48:28 +00:00

11 KiB

Raw Blame History

View Raw