diff options
| author | Joe7 <jozsef.rnagy@site.hu> | 2011-01-05 23:31:50 +0100 |
|---|---|---|
| committer | Joe7 <jozsef.rnagy@site.hu> | 2011-01-07 19:42:57 +0100 |
| commit | 9364f0d931883bb5f17f22c4003ee59256f9efb6 (patch) | |
| tree | 946ca001fe36b10c5f8845d78b2bca3332d6b4d5 /modules/gallery/controllers/file_proxy.php | |
| parent | d74aad072d8ccca70efb1c8b673e8368566a1974 (diff) | |
Allow '..' segment in photo/album paths through file_proxy (as is not forbidden in other places like add album/item) and explitely look for /../ instead
Note: directory path can't end in '.' forcibly so this shall be fine
Fixes Ticket #1518
Diffstat (limited to 'modules/gallery/controllers/file_proxy.php')
| -rw-r--r-- | modules/gallery/controllers/file_proxy.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/gallery/controllers/file_proxy.php b/modules/gallery/controllers/file_proxy.php index 22854fbd..5ce9b458 100644 --- a/modules/gallery/controllers/file_proxy.php +++ b/modules/gallery/controllers/file_proxy.php @@ -45,7 +45,7 @@ class File_Proxy_Controller extends Controller { $file_uri = substr($request_uri, strlen($var_uri)); // Make sure that we don't leave the var dir - if (strpos($file_uri, "..") !== false) { + if (strpos($file_uri, "/../") !== false) { throw new Kohana_404_Exception(); } |