Mercurial > hg > mlmmj
comparison contrib/web/php-admin/htdocs/edit.php @ 783:a50b8ab11d28
Validate input in php-admin to avoid altering arbitrary files
(Florian Streibelt, Morten Shearman Kirkegaard)
author | Ben Schmidt |
---|---|
date | Sun, 21 Nov 2010 00:25:20 +1100 |
parents | 6d354f3a8d90 |
children | d92234debf5c |
comparison
equal
deleted
inserted
replaced
718:edfd37c7ec4c | 783:a50b8ab11d28 |
---|---|
102 $list = $HTTP_GET_VARS["list"]; | 102 $list = $HTTP_GET_VARS["list"]; |
103 | 103 |
104 if(!isset($list)) | 104 if(!isset($list)) |
105 die("no list specified"); | 105 die("no list specified"); |
106 | 106 |
107 if (strchr($list, "/") !== false) | |
108 die("slash in list name"); | |
109 | |
110 if ($list == ".") | |
111 die("list name is dot"); | |
112 | |
113 if ($list == "..") | |
114 die("list name is dot-dot"); | |
115 | |
107 if(!is_dir($topdir."/".$list)) | 116 if(!is_dir($topdir."/".$list)) |
108 die("non-existent list"); | 117 die("non-existent list"); |
109 | 118 |
110 $tpl->define(array("main" => "edit.html", | 119 $tpl->define(array("main" => "edit.html", |
111 "boolean" => "edit_boolean.html", | 120 "boolean" => "edit_boolean.html", |