[geeklog-cvs] geeklog: Use COM_sanitizeFilename
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Fri Sep 11 11:54:43 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/b7a7ff3e25aa
changeset: 7304:b7a7ff3e25aa
user: Dirk Haun <dirk at haun-online.de>
date: Fri Sep 11 13:19:25 2009 +0200
description:
Use COM_sanitizeFilename
diffstat:
public_html/admin/database.php | 14 +++++++-------
1 files changed, 7 insertions(+), 7 deletions(-)
diffs (31 lines):
diff -r 65354b120142 -r b7a7ff3e25aa public_html/admin/database.php
--- a/public_html/admin/database.php Fri Sep 11 13:13:01 2009 +0200
+++ b/public_html/admin/database.php Fri Sep 11 13:19:25 2009 +0200
@@ -283,9 +283,8 @@
if ($mode == 'download') {
$file = '';
if (isset($_GET['file'])) {
- $file = preg_replace('/[^a-zA-Z0-9\-_\.]/', '', $_GET['file']);
- $file = str_replace('..', '', $file);
- if (!file_exists($_CONF['backup_path'] . $file)) {
+ $file = COM_sanitizeFilename($_GET['file'], true);
+ if (! file_exists($_CONF['backup_path'] . $file)) {
$file = '';
}
}
@@ -305,10 +304,11 @@
} elseif ($mode == 'delete') {
if (SEC_checkToken()) {
foreach ($_POST['delitem'] as $delfile) {
- $file = preg_replace('/[^a-zA-Z0-9\-_\.]/', '', $delfile);
- $file = str_replace('..', '', $file);
- if (!@unlink($_CONF['backup_path'] . $file)) {
- COM_errorLog('Unable to remove backup file "' . $file . '"');
+ $file = COM_sanitizeFilename($delfile, true);
+ if (! empty($file)) {
+ if (!@unlink($_CONF['backup_path'] . $file)) {
+ COM_errorLog('Unable to remove backup file "' . $file . '"');
+ }
}
}
}
More information about the geeklog-cvs
mailing list