admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Paranoia controle op '..' in attachmentpad iets aanscherpen

Browse Source 
De replace zou alleen de eerste '..' vervangen. Bovendien wil ik zeker zien in de logging

svn path=/Website/trunk/; revision=30402
This commit is contained in:
Jos Groot Lipman
2016-08-24 10:11:19 +00:00
parent 30cbf49029
commit 423ed66979
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
APPL/Shared/FlexFiles.inc
View File

@@ -318,8 +318,16 @@ function flexProps(pModule, pKey, pSubpath, pNiveau, params)
default:
INTERNAL_ERROR_MODULE;
}
result.AttachRootPath = result.AttachRootPath.replace("..", "_"); // paranoia mode, should never happen
if (result.AttachRootPath.indexOf("..") > -1 || // paranoia mode, should never happen
result.AttachPath.indexOf("..") > -1)
{
__DoLog("Bad attach path with '..'\nAttachRootPath: {0}\nAttachPath: {1}".format(result.AttachRootPath, result.AttachPath), '#F00');
INTERNAL_ERROR_BAD_ATTACHPATH;
}
result.AttachRootPath = result.AttachRootPath.replace("..", "_");
result.AttachPath = result.AttachPath.replace("..", "_");
if (params.getFile)
{
if (fso.FileExists(result.AttachPath + params.getFile))