From 071c9dddd2e8e7022c2ad6d005b15c1451cfaf66 Mon Sep 17 00:00:00 2001
From: Tom Canac <contact@tomcanac.com>
Date: Sun, 22 Jun 2014 22:13:12 +0200
Subject: [PATCH] fix #35

---
 index.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/index.php b/index.php
index 9fa6314..5471922 100644
--- a/index.php
+++ b/index.php
@@ -152,7 +152,12 @@ $requestedDir = '';
 if (!empty($_GET['dir'])) $requestedDir = $_GET['dir'];
 $thumbdir = rtrim('photos/'.$requestedDir,'/');
 
-$thumbdir = str_replace('/..', '', $thumbdir); // Prevent directory traversal attacks.
+//$thumbdir = str_replace('/..', '', $thumbdir); // Prevent directory traversal attacks.
+if(strstr($thumbdir, '..') !== FALSE) {
+	$requestedDir = '';
+	$thumbdir = rtrim('photos/','/');
+}
+
 $currentdir = GALLERY_ROOT . $thumbdir;
 
 //-----------------------