Better check for valid filename

author: Michal Čihař <mcihar@suse.cz> 2011-08-04 16:57:16 +0400
committer: Michal Čihař <mcihar@suse.cz> 2011-08-04 16:57:16 +0400
commit: f97b5aba9b9458a627503f164fd5dafdac750002 (patch)
tree: ad59a2849314cad9160b899b16995583774ffb53 /file_echo.php
parent: 71db1cb416556dceb50cf984e9f8033d3487f15e (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/file_echo.php b/file_echo.php
index 7b27ffa3ce..00aaee5662 100644
--- a/file_echo.php
+++ b/file_echo.php
@@ -19,11 +19,20 @@ if (isset($_REQUEST['filename']) && isset($_REQUEST['image'])) {
         die('Invalid export type');
     }
 
-    if (! preg_match("/(".implode("|",$allowed).")$/i", $_REQUEST['filename'])) {
-        $_REQUEST['filename'] .= '.' . $allowed[$_REQUEST['type']];
+    if (! preg_match('/^[^\n\r]*\.' . $allowed[$_REQUEST['type']] . '$/', $_REQUEST['filename'])) {
+        if (! preg_match('/^[^\n\r]*$/', $_REQUEST['filename'])) {
+            /* Add extension */
+            $filename = 'dowload.' . $allowed[$_REQUEST['type']];
+        } else {
+            /* Filename is unsafe, discard it */
+            $filename = $_REQUEST['filename'] . '.' . $allowed[$_REQUEST['type']];
+        }
+    } else {
+        /* Filename from request should be safe here */
+        $filename = $_REQUEST['filename'];
     }
 
-    PMA_download_header($_REQUEST['filename'], $_REQUEST['type']);
+    PMA_download_header($filename, $_REQUEST['type']);
 
     if ($allowed[$_REQUEST['type']] != 'svg') {
         echo base64_decode(substr($_REQUEST['image'], strpos($_REQUEST['image'],',') + 1));
author	Michal Čihař <mcihar@suse.cz>	2011-08-04 16:57:16 +0400
committer	Michal Čihař <mcihar@suse.cz>	2011-08-04 16:57:16 +0400
commit	f97b5aba9b9458a627503f164fd5dafdac750002 (patch)
tree	ad59a2849314cad9160b899b16995583774ffb53 /file_echo.php
parent	71db1cb416556dceb50cf984e9f8033d3487f15e (diff)