Merge pull request #103 from Aldarone/89-double-dot-in-dir-name

Allow to use « .. » in directory name.
2015-07-24 13:59:50 +02:00 · 2015-07-24 13:59:50 +02:00 · 43369d1f32
parent 6a670e1465 950a741cbd
commit 43369d1f32
1 changed files with 6 additions and 7 deletions
--- a/index.php
+++ b/index.php
@ -146,16 +146,15 @@ if (!empty($_GET['dir'])) {
 	$requestedDir = $_GET['dir'];
 }

+$photoRoot = GALLERY_ROOT . 'photos/';
 $thumbdir = rtrim('photos/' . $requestedDir, '/');
-
-//$thumbdir = str_replace('/..', '', $thumbdir); // Prevent directory traversal attacks.
-if (strstr($thumbdir, '..') !== false) {
-	$requestedDir = '';
-	$thumbdir = rtrim('photos/', '/');
-}
-
 $currentdir = GALLERY_ROOT . $thumbdir;

+$thumbdirIsInPhotoRoot = strpos(realpath($thumbdir), realpath($photoRoot));
+if ($thumbdirIsInPhotoRoot === false) {
+	die("ERROR: Could not open " . htmlspecialchars(stripslashes($currentdir)) . " for reading!");
+}
+
 //-----------------------
 // READ FILES AND FOLDERS
 //-----------------------