[geeklog-cvs] geeklog: Use COM_sanitizeFilename

[geeklog-cvs at lists.geeklog.net]

details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/b7a7ff3e25aa
changeset: 7304:b7a7ff3e25aa
user:      Dirk Haun <dirk at haun-online.de>
date:      Fri Sep 11 13:19:25 2009 +0200
description:
Use COM_sanitizeFilename

diffstat:

 public_html/admin/database.php |  14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diffs (31 lines):

diff -r 65354b120142 -r b7a7ff3e25aa public_html/admin/database.php
--- a/public_html/admin/database.php	Fri Sep 11 13:13:01 2009 +0200
+++ b/public_html/admin/database.php	Fri Sep 11 13:19:25 2009 +0200
@@ -283,9 +283,8 @@
 if ($mode == 'download') {
     $file = '';
     if (isset($_GET['file'])) {
-        $file = preg_replace('/[^a-zA-Z0-9\-_\.]/', '', $_GET['file']);
-        $file = str_replace('..', '', $file);
-        if (!file_exists($_CONF['backup_path'] . $file)) {
+        $file = COM_sanitizeFilename($_GET['file'], true);
+        if (! file_exists($_CONF['backup_path'] . $file)) {
             $file = '';
         }
     }
@@ -305,10 +304,11 @@
 } elseif ($mode == 'delete') {
     if (SEC_checkToken()) {
         foreach ($_POST['delitem'] as $delfile) {
-            $file = preg_replace('/[^a-zA-Z0-9\-_\.]/', '', $delfile);
-            $file = str_replace('..', '', $file);
-            if (!@unlink($_CONF['backup_path'] . $file)) {
-                COM_errorLog('Unable to remove backup file "' . $file . '"');
+            $file = COM_sanitizeFilename($delfile, true);
+            if (! empty($file)) {
+                if (!@unlink($_CONF['backup_path'] . $file)) {
+                    COM_errorLog('Unable to remove backup file "' . $file . '"');
+                }
             }
         }
     }