Allow to use « .. » in directory name.
Some people names their directories like this : (2014-09-01..08)+Super+Party which is a perfectly valid directory name. But the directory traversal protection was a bit protective and prevented this. Now it checks if the requested directory is in the gallery directory by comparing their real path. Fixes sebsauvage/MinigalNano/#89
This commit is contained in:
Nicolas DIDIER
parent
6a670e1465
commit
950a741cbd
13
index.php
13
index.php
|
|
@ -146,16 +146,15 @@ if (!empty($_GET['dir'])) {
|
|||
$requestedDir = $_GET['dir'];
|
||||
}
|
||||
|
||||
$photoRoot = GALLERY_ROOT . 'photos/';
|
||||
$thumbdir = rtrim('photos/' . $requestedDir, '/');
|
||||
|
||||
//$thumbdir = str_replace('/..', '', $thumbdir); // Prevent directory traversal attacks.
|
||||
if (strstr($thumbdir, '..') !== false) {
|
||||
$requestedDir = '';
|
||||
$thumbdir = rtrim('photos/', '/');
|
||||
}
|
||||
|
||||
$currentdir = GALLERY_ROOT . $thumbdir;
|
||||
|
||||
$thumbdirIsInPhotoRoot = strpos(realpath($thumbdir), realpath($photoRoot));
|
||||
if ($thumbdirIsInPhotoRoot === false) {
|
||||
die("ERROR: Could not open " . htmlspecialchars(stripslashes($currentdir)) . " for reading!");
|
||||
}
|
||||
|
||||
//-----------------------
|
||||
// READ FILES AND FOLDERS
|
||||
//-----------------------
|
||||
|
|
|
|||
Loading…
Reference in New Issue