quick fix to security issue

2025-02-20 22:00:04 +01:00 · 2017-04-26 11:43:50 -04:00
parent 9bd30e1d3e
commit de52e7ee61
1 changed files with 3 additions and 0 deletions
--- a/index.php
+++ b/index.php
@@ -47,6 +47,9 @@ if($tmp === false)
 	err(404,'File or Directory Not Found');
 if(substr($tmp, 0,strlen($tmp_dir)) !== $tmp_dir)
 	err(403,"Forbidden");
+if(strpos($_REQUEST['file'], DIRECTORY_SEPARATOR) === 0) 
+	err(403,"Forbidden");
+

 if(!$_COOKIE['_sfm_xsrf'])
 	setcookie('_sfm_xsrf',bin2hex(openssl_random_pseudo_bytes(16)));