em.. out of root? [#18596]

Description

Just see the example script getting exploited by clicking:
http://drupal.hu/?q=filebrowser/..

Here's my solution:
Replace line 291 (i think) with this:
$safer = str_replace(array("\\", "../", "/.svn", "/CVS", ".."), array("/", "", "", "",""), $folder);

Martin G.
martin {{at}} isg.si

Comments

Comment #1

gábor hojtsy

he/him

Hungarian

Hungary

commented 27 March 2005 at 13:33

Priority:

Critical

» Normal

Fixed in 4.5 and HEAD too. Since this only allowed the view of the particular one folder up (and no other folder), it was thanfully not that big a consern. Thanks for the report.

em.. out of root?

Comments

Comment #1

News items

Our community

Documentation

Drupal code base

Governance of community