From fe9b005a2701e7acd1dbc49e8ee72215b0a1373e Mon Sep 17 00:00:00 2001 From: Bart Mollet Date: Wed, 24 Jan 2007 16:37:27 +0100 Subject: [PATCH] [svn r10875] Fixed security hole --- main/work/work.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/main/work/work.php b/main/work/work.php index d65e80b456..bc0d2af13a 100644 --- a/main/work/work.php +++ b/main/work/work.php @@ -23,7 +23,7 @@ * @author Patrick Cool , Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default. * @author Roan Embrechts, code refactoring and virtual course support * @author Frederic Vauthier, directories management -* @version $Id: work.php 10814 2007-01-22 10:20:48Z elixir_julian $ +* @version $Id: work.php 10875 2007-01-24 15:37:27Z bmol $ * * @todo refactor more code into functions, use quickforms, coding standards, ... */ @@ -150,16 +150,17 @@ $http_www = api_get_path('WEB_COURSE_PATH').$_course['path'].'/work'; if(isset($_GET['curdirpath']) && $_GET['curdirpath']!='') { - $cur_dir_path = preg_replace('#/\.\./#','/',$_GET['curdirpath']); //escape '..' hack attempts + $cur_dir_path = preg_replace('#[\.]+/#','',$_GET['curdirpath']); //escape '..' hack attempts } elseif (isset($_POST['curdirpath']) && $_POST['curdirpath']!='') { - $cur_dir_path = preg_replace('#/\.\./#','/',$_POST['curdirpath']); //escape '..' hack attempts + $cur_dir_path = preg_replace('#[\.]+/#','/',$_POST['curdirpath']); //escape '..' hack attempts } else { $cur_dir_path = '/'; } + if (!is_subdir_of($cur_dir_path,$base_work_dir) or ($cur_dir_path == '.')) { $cur_dir_path='/';