Commit 656dedcc authored by Robert Ricci's avatar Robert Ricci
Browse files

Better security for docwrapper - make the regular expression tighter

so that it only allows [word].html files (and .txt files for the
doc/ version.)

The previous version allowed users to get the source of our php
scripts - probably not too bad, since there should not be big secrets
in them, but it could help an attacker look for exploitable bugs.
parent b248f82e
......@@ -28,18 +28,9 @@ if (!$printable) {
}
#
# Need to sanity check the path! For now, just make sure the path
# does not start with a dot or a slash.
# Need to sanity check the path! Allow only [word].{html,txt} files
#
$first = substr($docname, 0, 1);
if (strcmp($first, ".") == 0 ||
strcmp($first, "/") == 0) {
USERERROR("Illegal document name: $docname!", 1);
}
#
# Nothing that looks like a ../ is allowed anywhere in the name
#
if (strstr($docname, "../")) {
if (!preg_match("/^[\w-]+\.(html|txt)$/", $docname)) {
USERERROR("Illegal document name: $docname!", 1);
}
......
......@@ -26,18 +26,9 @@ if (!$printable) {
}
#
# Need to sanity check the path! For now, just make sure the path
# does not start with a dot or a slash.
# Need to sanity check the path! Allow only [word].html files
#
$first = substr($docname, 0, 1);
if (strcmp($first, ".") == 0 ||
strcmp($first, "/") == 0) {
USERERROR("Illegal document name: $docname!", 1);
}
#
# Nothing that looks like a ../ is allowed anywhere in the name
#
if (strstr($docname, "../")) {
if (!preg_match("/^[\w-]+\.html$/", $docname)) {
USERERROR("Illegal document name: $docname!", 1);
}
......
......@@ -28,18 +28,9 @@ if (!$printable) {
}
#
# Need to sanity check the path! For now, just make sure the path
# does not start with a dot or a slash.
# Need to sanity check the path! Allow only [word].html files
#
$first = substr($docname, 0, 1);
if (strcmp($first, ".") == 0 ||
strcmp($first, "/") == 0) {
USERERROR("Illegal document name: $docname!", 1);
}
#
# Nothing that looks like a ../ is allowed anywhere in the name
#
if (strstr($docname, "../")) {
if (!preg_match("/^[\w-]+\.html$/", $docname)) {
USERERROR("Illegal document name: $docname!", 1);
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment