maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

prevent directory traversal in paths

Browse Source
This commit is contained in:
Hanno Heinrichs
2016-01-28 22:40:54 +01:00
parent 7f82549e23
commit 6eeaf66e2c
1 changed files with 10 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
lib/functions/filedir/function.makeSecurePath.php
View File

@@ -26,15 +26,21 @@
*/ */
function makeSecurePath($path) { function makeSecurePath($path) {
// check for bad characters, some are allowed with escaping
// but we generally don't want them in our directory-names,
// thx to aaronmueller for this snipped
$badchars = array(':', ';', '|', '&', '>', '<', '`', '$', '~', '?', "\0");
foreach ($badchars as $bc) {
$path = str_replace($bc, "", $path);
}
$search = array( $search = array(
'#/+#', '#/+#',
'#\.+#', '#\.+#'
'#\0+#'
); );
$replace = array( $replace = array(
'/', '/',
'.', '.'
''
); );
$path = preg_replace($search, $replace, $path); $path = preg_replace($search, $replace, $path);
// don't just replace a space with an escaped space // don't just replace a space with an escaped space
@@ -42,13 +48,5 @@ function makeSecurePath($path) {
$path = str_replace("\ ", " ", $path); $path = str_replace("\ ", " ", $path);
$path = str_replace(" ", "\ ", $path); $path = str_replace(" ", "\ ", $path);
// check for bad characters, some are allowed with escaping
// but we generally don't want them in our directory-names,
// thx to aaronmueller for this snipped
$badchars = array(':', ';', '|', '&', '>', '<', '`', '$', '~', '?');
foreach ($badchars as $bc) {
$path = str_replace($bc, "", $path);
}
return $path; return $path;
} }