From 5b573abef74154974d867d22fb6b173b7b82759f Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Thu, 26 Oct 2017 13:15:40 +0200
Subject: [PATCH] do not allow path traversal and htmlencode displayed path

---
 api/src/Json/Tail.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/api/src/Json/Tail.php b/api/src/Json/Tail.php
index 61aca6f794..1ba3fb0b5e 100644
--- a/api/src/Json/Tail.php
+++ b/api/src/Json/Tail.php
@@ -74,6 +74,9 @@ class Tail
 
 		if ($filename)
 		{
+			// do NOT allow path-traversal
+			$filename = str_replace('../', '', $filename);
+
 			$this->filename = $filename;
 
 			if (!$this->filenames || !in_array($filename,$this->filenames)) $this->filenames[] = $filename;
@@ -176,7 +179,7 @@ class Tail
 		'filename' => $this->filename,
 	)).'
 </div>
-<pre class="tail" id="log" data-filename="'.$this->filename.'" style="clear: both; width: 99.5%; border: 2px groove silver; margin-bottom: 0; overflow: auto;"></pre>';
+<pre class="tail" id="log" data-filename="'.htmlspecialchars($this->filename).'" style="clear: both; width: 99.5%; border: 2px groove silver; margin-bottom: 0; overflow: auto;"></pre>';
 	}
 
 	/**