Mercurial > hg > mlmmj

diff contrib/web/php-admin/htdocs/save.php @ 783:a50b8ab11d28
Validate input in php-admin to avoid altering arbitrary files (Florian Streibelt, Morten Shearman Kirkegaard)
author: Ben Schmidt
date: Sun, 21 Nov 2010 00:25:20 +1100
parents: 6d354f3a8d90
children: d92234debf5c
--- a/contrib/web/php-admin/htdocs/save.php	Fri Feb 19 03:21:55 2010 +1100
+++ b/contrib/web/php-admin/htdocs/save.php	Sun Nov 21 00:25:20 2010 +1100
@@ -79,6 +79,15 @@
 if(!isset($list))
 die("no list specified");
 
+if (strchr($list, "/") !== false)
+die("slash in list name");
+
+if ($list == ".")
+die("list name is dot");
+
+if ($list == "..")
+die("list name is dot-dot");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");