jackbenny/simplog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added regexp to strip away any special chars from filename

Browse Source
This commit is contained in:
Jack-Benny Persson 2014-07-05 10:40:49 +02:00
parent 56da0c396a
commit 025f537074
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
user/editfile.php
View File

@ -3,8 +3,13 @@ require ("../includes/content.php");
require ("../includes/miscfunc.php");
require ("../includes/htmlcode.php");
//Make some form of control below, this is unsafe...
$file = Page::$parentDir . Page::$contentFolder . $_GET['file'];
/*regexp to strip away '..', '/' and so forth. Filename must now be in the
format of myfile.ext, where myfile can be 1 to 20 chars long (including '-'
and '_') and ext can be
from 1 to 4 chars.*/
$filename = $_GET['file'];
preg_match_all("/[a-z_\-0-9]{1,30}\.[a-z]{1,4}/i", $filename, $checkedFilename);
$file = Page::$parentDir . Page::$contentFolder . $checkedFilename[0][0];
if(isset($_POST['content']))
{