Fix PHP warning

9 years ago · e1f6a59670
parent cb80d33cdb
commit e1f6a59670
2 changed files with 11 additions and 5 deletions
--- a/main/dropbox/dropbox_download.php
+++ b/main/dropbox/dropbox_download.php
@ -93,11 +93,13 @@ if (!$allowed_to_download) {
    $_SESSION['_seen'][$_course['id']][TOOL_DROPBOX][] = intval($_GET['id']);

    $work = new Dropbox_Work($_GET['id']);
-
-    $path = api_get_path(SYS_COURSE_PATH).$_course['path'].'/dropbox/'.$work -> filename; //path to file as stored on server
-
-    if (!Security::check_abs_path($path, api_get_path(SYS_COURSE_PATH).$_course['path'].'/dropbox/')) {
-        exit;
+    //path to file as stored on server
+    $path = api_get_path(SYS_COURSE_PATH).$_course['path'].'/dropbox/'.$work->filename;
+    if (!Security::check_abs_path(
+        $path,
+        api_get_path(SYS_COURSE_PATH).$_course['path'].'/dropbox/')
+    ) {
+        api_not_allowed(true);
    }
    $file = $work->title;
    $result = DocumentManager::file_send_for_download($path, true, $file);
--- a/main/inc/lib/security.lib.php
+++ b/main/inc/lib/security.lib.php
@ -58,6 +58,10 @@ class Security
        $true_path = str_replace("\\", '/', realpath($abs_path));
        $checker_path = str_replace("\\", '/', realpath($checker_path));

+        if (empty($checker_path)) {
+            return false;
+        }
+
        $found = strpos($true_path.'/', $checker_path);

        if ($found === 0) {