summaryrefslogtreecommitdiff
path: root/modules/server_add/controllers
diff options
context:
space:
mode:
Diffstat (limited to 'modules/server_add/controllers')
-rw-r--r--modules/server_add/controllers/admin_server_add.php4
-rw-r--r--modules/server_add/controllers/server_add.php16
2 files changed, 15 insertions, 5 deletions
diff --git a/modules/server_add/controllers/admin_server_add.php b/modules/server_add/controllers/admin_server_add.php
index a340f61a..94dd8f74 100644
--- a/modules/server_add/controllers/admin_server_add.php
+++ b/modules/server_add/controllers/admin_server_add.php
@@ -40,13 +40,13 @@ class Admin_Server_Add_Controller extends Admin_Controller {
module::set_var("server_add", "authorized_paths", serialize($paths));
$view = new View("server_add_dir_list.html");
$view->paths = array_keys($paths);
- $form->add_path->inputs["path"]->value("");
+ $form->add_path->inputs->path->value = "";
print json_encode(
array("result" => "success",
"paths" => $view->__toString(),
"form" => $form->__toString()));
} else {
- $form->add_path->inputs["path"]->error("not_readable");
+ $form->add_path->inputs->path->error("not_readable");
print json_encode(array("result" => "error", "form" => $form->__toString()));
}
} else {
diff --git a/modules/server_add/controllers/server_add.php b/modules/server_add/controllers/server_add.php
index e926ade7..592a14e3 100644
--- a/modules/server_add/controllers/server_add.php
+++ b/modules/server_add/controllers/server_add.php
@@ -41,9 +41,16 @@ class Server_Add_Controller extends Controller {
}
public function children() {
+ $paths = unserialize(module::get_var("server_add", "authorized_paths"));
+
+ $path_valid = false;
$path = $this->input->post("path");
+
+ if (empty($paths[$path[0]])) {
+ throw new Exception("@todo BAD_PATH");
+ }
$path = implode("/", $this->input->post("path"));
- if (!is_readable($path)) {
+ if (!is_readable($path) || is_link($path)) {
kohana::show_404();
}
@@ -62,7 +69,7 @@ class Server_Add_Controller extends Controller {
$parent = ORM::factory("item", $id);
access::required("server_add", $parent);
- if (!$parent->is_album() && !$parent->loaded ) {
+ if (!$parent->is_album()) {
throw new Exception("@todo BAD_ALBUM");
}
@@ -77,6 +84,9 @@ class Server_Add_Controller extends Controller {
// The first path corresponds to the source directory so we can just skip it.
for ($i = 1; $i < count($path); $i++) {
$source_path .= "/$path[$i]";
+ if (is_link($source_path) || !is_readable($source_path)) {
+ kohana::show_404();
+ }
$pathinfo = pathinfo($source_path);
set_time_limit(30);
if (is_dir($source_path)) {
@@ -107,7 +117,7 @@ class Server_Add_Controller extends Controller {
$file_list = array();
$files = new DirectoryIterator($path);
foreach ($files as $file) {
- if ($file->isDot()) {
+ if ($file->isDot() || $file->isLink()) {
continue;
}
$filename = $file->getFilename();
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-13 22:36:14 +0000