# HG changeset patch
# User Ben Schmidt
# Date 1278428736 -36000
# Node ID 773c6ef6fb10877772d0d8e307c51f4dca5a7a20
# Parent  6713d89baae8e35881f2928d7bdfa119c96337a0
Validate input in php-admin to avoid altering arbitrary files
(Florian Streibelt, Morten Shearman Kirkegaard)

diff -r 6713d89baae8 -r 773c6ef6fb10 ChangeLog
--- a/ChangeLog	Fri Jul 30 09:50:34 2010 +1000
+++ b/ChangeLog	Wed Jul 07 01:05:36 2010 +1000
@@ -1,3 +1,5 @@
+ o Fixed security bug in mlmmj-php-admin (Florian Streibelt, Morten Shearman
+   Kirkegaard)
  o Added "send" keyword to control/access handling (Ben Schmidt)
  o Added contrib/amime-receive (Gerd v. Egidy)
  o Fixed memory leak in substitute_one() (Ben Schmidt)
diff -r 6713d89baae8 -r 773c6ef6fb10 contrib/web/php-admin/htdocs/edit.php
--- a/contrib/web/php-admin/htdocs/edit.php	Fri Jul 30 09:50:34 2010 +1000
+++ b/contrib/web/php-admin/htdocs/edit.php	Wed Jul 07 01:05:36 2010 +1000
@@ -104,6 +104,15 @@
 if(!isset($list))
 die("no list specified");
 
+if (strchr($list, "/") !== false)
+die("slash in list name");
+
+if ($list == ".")
+die("list name is dot");
+
+if ($list == "..")
+die("list name is dot-dot");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");
 
diff -r 6713d89baae8 -r 773c6ef6fb10 contrib/web/php-admin/htdocs/save.php
--- a/contrib/web/php-admin/htdocs/save.php	Fri Jul 30 09:50:34 2010 +1000
+++ b/contrib/web/php-admin/htdocs/save.php	Wed Jul 07 01:05:36 2010 +1000
@@ -79,6 +79,15 @@
 if(!isset($list))
 die("no list specified");
 
+if (strchr($list, "/") !== false)
+die("slash in list name");
+
+if ($list == ".")
+die("list name is dot");
+
+if ($list == "..")
+die("list name is dot-dot");
+
 if(!is_dir($topdir."/".$list))
 die("non-existent list");