[geeklog-cvs] geeklog: Don't expose temp. upload dir and be more strict with f...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Tue Dec 29 08:00:37 EST 2009
changeset 7553:1e007c956d39
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/1e007c956d39
user: Dirk Haun <dirk at haun-online.de>
date: Tue Dec 29 10:07:01 2009 +0100
description:
Don't expose temp. upload dir and be more strict with filenames when reconstructing the $_FILES array
diffstat:
system/lib-security.php | 9 +++++----
1 files changed, 5 insertions(+), 4 deletions(-)
diffs (40 lines):
diff -r d93ca7c35812 -r 1e007c956d39 system/lib-security.php
--- a/system/lib-security.php Tue Dec 29 09:53:22 2009 +0100
+++ b/system/lib-security.php Tue Dec 29 10:07:01 2009 +0100
@@ -1146,15 +1146,16 @@
$getdata = serialize($_GET);
$files = '';
if (! empty($_FILES)) {
- $files = serialize($_FILES);
// rescue uploaded files
- foreach ($_FILES as $f) {
+ foreach ($_FILES as $key => $f) {
if (! empty($f['name'])) {
$filename = basename($f['tmp_name']);
move_uploaded_file($f['tmp_name'],
$_CONF['path_data'] . $filename);
+ $_FILES[$key]['tmp_name'] = $filename; // drop temp. dir
}
}
+ $files = serialize($_FILES);
}
$display = COM_siteHeader('menu', $LANG20[1])
@@ -1338,7 +1339,7 @@
foreach ($value as $kk => $kv) {
if ($kk == 'tmp_name') {
// fix path - uploaded files are in our data directory
- $filename = basename($kv);
+ $filename = COM_sanitizeFilename(basename($kv), true);
$kv = $_CONF['path_data'] . $filename;
// set a flag so we know where it's coming from
$_FILES[$file]['_gl_data_dir'] = true;
@@ -1381,7 +1382,7 @@
foreach ($files as $key => $value) {
if (! empty($value['tmp_name'])) {
// ignore path - file is in $_CONF['path_data']
- $filename = basename($value['tmp_name']);
+ $filename = COM_sanitizeFilename(basename($value['tmp_name']), true);
$orphan = $_CONF['path_data'] . $filename;
if (file_exists($orphan)) {
if (! @unlink($orphan)) {
More information about the geeklog-cvs
mailing list