Changeset 783 for trunk


Ignore:
Timestamp:
2011-04-22T16:56:40+02:00 (3 years ago)
Author:
moo
Message:

avoid possible filename injection in admin page

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/ChangeLog

    r765 r783  
    13131.3.2 2011-??-?? 
    1414======== 
     15 * avoid possible filename injection in admin page 
    1516 * adds 30 seconds timeout to "compiling" flag 
    1617 * decompiler: improves decompiling 
  • trunk/NEWS

    r765 r783  
    441.3.2 2011-??-?? 
    55======== 
     6 * admin page security fix 
    67 * adds 30 seconds timeout to "compiling" flag 
    78 * improves decompiling 
  • trunk/admin/common.php

    r782 r783  
    11<?php 
     2 
     3function xcache_validateFileName($name) 
     4{ 
     5    return preg_match('!^[a-zA-Z0-9._-]+$!', $name); 
     6} 
    27 
    38function get_language_file_ex($name, $l, $s) 
     
    1621        $l = $lmap[$l]; 
    1722    } 
    18     if (file_exists($file = "$name-$l-$s.lang.php")) { 
     23    $file = "$name-$l-$s.lang.php"; 
     24    if (xcache_validateFileName($file) && file_exists($file)) { 
    1925        return $file; 
    2026    } 
    2127    if (isset($smap[$s])) { 
    2228        $s = $smap[$s]; 
    23         if (file_exists($file = "$name-$l-$s.lang.php")) { 
     29        $file = "$name-$l-$s.lang.php"; 
     30        if (xcache_validateFileName($file) && file_exists($file)) { 
    2431            return $file; 
    2532        } 
    2633    } 
    27     if (file_exists($file = "$name-$l.lang.php")) { 
     34    $file = "$name-$l.lang.php"; 
     35    if (xcache_validateFileName($file) && file_exists($file)) { 
    2836        return $file; 
    2937    } 
Note: See TracChangeset for help on using the changeset viewer.