holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

do not allow path traversal and htmlencode displayed path

Browse Source
This commit is contained in:
Ralf Becker 2017-10-26 13:15:40 +02:00
parent f5af05ffd2
commit 5b573abef7
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/src/Json/Tail.php
View File

@ -74,6 +74,9 @@ class Tail
if ($filename) if ($filename)
{ {
// do NOT allow path-traversal
$filename = str_replace('../', '', $filename);
$this->filename = $filename; $this->filename = $filename;
if (!$this->filenames || !in_array($filename,$this->filenames)) $this->filenames[] = $filename; if (!$this->filenames || !in_array($filename,$this->filenames)) $this->filenames[] = $filename;
@ -176,7 +179,7 @@ class Tail
'filename' => $this->filename, 'filename' => $this->filename,
)).' )).'
</div> </div>
<pre class="tail" id="log" data-filename="'.$this->filename.'" style="clear: both; width: 99.5%; border: 2px groove silver; margin-bottom: 0; overflow: auto;"></pre>'; <pre class="tail" id="log" data-filename="'.htmlspecialchars($this->filename).'" style="clear: both; width: 99.5%; border: 2px groove silver; margin-bottom: 0; overflow: auto;"></pre>';
} }
/** /**