Merge pull request #104 from Aldarone/89-double-dot-in-dir-name
Somewhat more complex protection against directory traversal attacks.
This commit is contained in:
commit
4abbb3011b
1 changed files with 15 additions and 4 deletions
19
index.php
19
index.php
|
@ -137,6 +137,20 @@ function checkpermissions($file) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function guardAgainstDirectoryTraversal($path) {
|
||||||
|
/*
|
||||||
|
* I don't like regexes but this matches
|
||||||
|
* any attemp of directory traversal I could think of
|
||||||
|
* without forbidding « .. » in directory names.
|
||||||
|
*/
|
||||||
|
$pattern = "/^(.*\/)?(\.\.)(\/.*)?$/";
|
||||||
|
$directoryTraversal = preg_match($pattern, $path);
|
||||||
|
|
||||||
|
if ($directoryTraversal === 1) {
|
||||||
|
die("ERROR: Could not open " . htmlspecialchars(stripslashes($currentdir)) . " for reading!");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!defined("GALLERY_ROOT")) {
|
if (!defined("GALLERY_ROOT")) {
|
||||||
define("GALLERY_ROOT", "");
|
define("GALLERY_ROOT", "");
|
||||||
}
|
}
|
||||||
|
@ -150,10 +164,7 @@ $photoRoot = GALLERY_ROOT . 'photos/';
|
||||||
$thumbdir = rtrim('photos/' . $requestedDir, '/');
|
$thumbdir = rtrim('photos/' . $requestedDir, '/');
|
||||||
$currentdir = GALLERY_ROOT . $thumbdir;
|
$currentdir = GALLERY_ROOT . $thumbdir;
|
||||||
|
|
||||||
$thumbdirIsInPhotoRoot = strpos(realpath($thumbdir), realpath($photoRoot));
|
guardAgainstDirectoryTraversal($currentdir);
|
||||||
if ($thumbdirIsInPhotoRoot === false) {
|
|
||||||
die("ERROR: Could not open " . htmlspecialchars(stripslashes($currentdir)) . " for reading!");
|
|
||||||
}
|
|
||||||
|
|
||||||
//-----------------------
|
//-----------------------
|
||||||
// READ FILES AND FOLDERS
|
// READ FILES AND FOLDERS
|
||||||
|
|
Loading…
Reference in a new issue