Mercurial > hg > mlmmj
comparison contrib/web/php-admin/htdocs/edit.php @ 786:b542f6e55f5b
Better validation of input in php-admin (Thomas Goirand)
| author | Ben Schmidt |
|---|---|
| date | Sun, 21 Nov 2010 00:30:23 +1100 |
| parents | a50b8ab11d28 |
| children | d03fae037eb4 |
comparison
equal
deleted
inserted
replaced
| 785:4294e7f1209f | 786:b542f6e55f5b |
|---|---|
| 102 $list = $HTTP_GET_VARS["list"]; | 102 $list = $HTTP_GET_VARS["list"]; |
| 103 | 103 |
| 104 if(!isset($list)) | 104 if(!isset($list)) |
| 105 die("no list specified"); | 105 die("no list specified"); |
| 106 | 106 |
| 107 if (strchr($list, "/") !== false) | 107 if (dirname(realpath($topdir."/".$list)) != $topdir) |
| 108 die("slash in list name"); | 108 die("list outside topdir"); |
| 109 | |
| 110 if ($list == ".") | |
| 111 die("list name is dot"); | |
| 112 | |
| 113 if ($list == "..") | |
| 114 die("list name is dot-dot"); | |
| 115 | 109 |
| 116 if(!is_dir($topdir."/".$list)) | 110 if(!is_dir($topdir."/".$list)) |
| 117 die("non-existent list"); | 111 die("non-existent list"); |
| 118 | 112 |
| 119 $tpl->define(array("main" => "edit.html", | 113 $tpl->define(array("main" => "edit.html", |