iarv/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-03-28 17:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

- security : add some control to download url. Somebody sould take it over for other controls

Browse Source 
git-svn-id: http://piwigo.org/svn/trunk@1187 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
chrisaga
2006-04-16 10:53:01 +00:00
parent 162773bd36
commit a21c222f39
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
action.php
View File

@@ -65,8 +65,11 @@ function force_download ($filename)
//--------------------------------------------------------- download big picture
if ( isset( $_GET['dwn'] ) )
{
//TODO : verify the path begins with './gallerie' and doesn't contains any '..'
// in order to avoid hacking atempts
//TODO : verify the path begins with something in galleries_url and that user has access rights to the picture
// in order to avoid hacking atempts by forged url
if (preg_match('/\.\./',$_GET['dwn'])) {
die('Hacking attempt!');
}
force_download($_GET['dwn']);
}