From 4e5291c77aac573860489f83c8ca627e7c793b86 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sat, 18 Aug 2012 09:24:35 +0200 Subject: [PATCH] Use SCRIPT_NAME instead of PHP_SELF which won't send the PATH_INFO, this prevents XSS in old browsers. Thanks to Nico Golde. --- apps/files/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/files/index.php b/apps/files/index.php index 60a3836cb59..077187fbc13 100644 --- a/apps/files/index.php +++ b/apps/files/index.php @@ -39,7 +39,7 @@ OCP\App::setActiveNavigationEntry( 'files_index' ); $dir = isset( $_GET['dir'] ) ? stripslashes($_GET['dir']) : ''; // Redirect if directory does not exist if(!OC_Filesystem::is_dir($dir.'/')) { - header('Location: '.$_SERVER['PHP_SELF'].''); + header('Location: '.$_SERVER['SCRIPT_NAME'].''); } $files = array();