Security fix for #81 (insecure php setups)

2025-02-20 22:00:04 +01:00 · 2019-10-24 11:02:19 -06:00
parent 40755d01c4
commit ae87964f8c
1 changed files with 3 additions and 0 deletions
--- a/index.php
+++ b/index.php
@@ -59,6 +59,9 @@ if($_POST) {
 }

 $file = $_REQUEST['file'] ?: '.';
+// strip url syntax, like file://....
+$file = preg_replace('@^.+://@','',$file);
+
 if($_GET['do'] == 'list') {
 	if (is_dir($file)) {
 		$directory = $file;