extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-10-05 09:32:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

do not allow path traversal and htmlencode displayed path

Browse Source
This commit is contained in:
Ralf Becker 2017-10-26 13:15:40 +02:00
parent f5af05ffd2
commit 5b573abef7
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/src/Json/Tail.php
View File

@ -74,6 +74,9 @@ class Tail
if ($filename)
{
// do NOT allow path-traversal
$filename = str_replace('../', '', $filename);
$this->filename = $filename;
if (!$this->filenames || !in_array($filename,$this->filenames)) $this->filenames[] = $filename;
@ -176,7 +179,7 @@ class Tail
'filename' => $this->filename,
)).'
</div>
<pre class="tail" id="log" data-filename="'.$this->filename.'" style="clear: both; width: 99.5%; border: 2px groove silver; margin-bottom: 0; overflow: auto;"></pre>';
<pre class="tail" id="log" data-filename="'.htmlspecialchars($this->filename).'" style="clear: both; width: 99.5%; border: 2px groove silver; margin-bottom: 0; overflow: auto;"></pre>';
}
/**