diff options
author | Michal Čihař <mcihar@suse.cz> | 2013-10-03 17:54:50 +0400 |
---|---|---|
committer | Michal Čihař <mcihar@suse.cz> | 2013-10-03 17:54:50 +0400 |
commit | 52be2f7fc9e4b4d517ca1d5190ba1a997fc04099 (patch) | |
tree | b98aea10f87eff6c7dab2448212b1dafc2a1b870 /js/get_scripts.js.php | |
parent | 0ad8714cb113ce5e15b0ca222eaa936ac684541b (diff) |
Simplify file name validation
We don't want to expose possible hidden files as well (starting with .
on unix).
Diffstat (limited to 'js/get_scripts.js.php')
-rw-r--r-- | js/get_scripts.js.php | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/js/get_scripts.js.php b/js/get_scripts.js.php index 72b3b44de8..fdeddf4c3b 100644 --- a/js/get_scripts.js.php +++ b/js/get_scripts.js.php @@ -24,11 +24,9 @@ if (! empty($_GET['scripts']) && is_array($_GET['scripts'])) { $path = explode("/", $script); foreach ($path as $index => $filename) { - if (! preg_match("@^\.+$@", $filename) - && preg_match("@^[\w\.-]+$@", $filename) - ) { - // Disallow "." and ".." alone - // Allow alphanumeric, "." and "-" chars only + // Allow alphanumeric, "." and "-" chars only, no files starting + // with . + if (preg_match("@^[\w][\w\.-]+$@", $filename)) { $script_name .= DIRECTORY_SEPARATOR . $filename; } } |