Changeset 783


Ignore:
Timestamp:
2011-04-22T16:56:40+02:00 (4 years ago)
Author:
moo
Message:

avoid possible filename injection in admin page

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/ChangeLog

    r765 r783  
    13131.3.2 2011-??-??
    1414========
     15 * avoid possible filename injection in admin page
    1516 * adds 30 seconds timeout to "compiling" flag
    1617 * decompiler: improves decompiling
  • trunk/NEWS

    r765 r783  
    441.3.2 2011-??-??
    55========
     6 * admin page security fix
    67 * adds 30 seconds timeout to "compiling" flag
    78 * improves decompiling
  • trunk/admin/common.php

    r782 r783  
    11<?php
     2
     3function xcache_validateFileName($name)
     4{
     5    return preg_match('!^[a-zA-Z0-9._-]+$!', $name);
     6}
    27
    38function get_language_file_ex($name, $l, $s)
     
    1621        $l = $lmap[$l];
    1722    }
    18     if (file_exists($file = "$name-$l-$s.lang.php")) {
     23    $file = "$name-$l-$s.lang.php";
     24    if (xcache_validateFileName($file) && file_exists($file)) {
    1925        return $file;
    2026    }
    2127    if (isset($smap[$s])) {
    2228        $s = $smap[$s];
    23         if (file_exists($file = "$name-$l-$s.lang.php")) {
     29        $file = "$name-$l-$s.lang.php";
     30        if (xcache_validateFileName($file) && file_exists($file)) {
    2431            return $file;
    2532        }
    2633    }
    27     if (file_exists($file = "$name-$l.lang.php")) {
     34    $file = "$name-$l.lang.php";
     35    if (xcache_validateFileName($file) && file_exists($file)) {
    2836        return $file;
    2937    }
Note: See TracChangeset for help on using the changeset viewer.