The branch, master has been updated via 4acaf763128928760fd47e75de794a288dc99762 (commit) via f97b5aba9b9458a627503f164fd5dafdac750002 (commit) from 71db1cb416556dceb50cf984e9f8033d3487f15e (commit)
- Log ----------------------------------------------------------------- commit 4acaf763128928760fd47e75de794a288dc99762 Author: Michal Čihař mcihar@suse.cz Date: Thu Aug 4 14:58:22 2011 +0200
Documentation
commit f97b5aba9b9458a627503f164fd5dafdac750002 Author: Michal Čihař mcihar@suse.cz Date: Thu Aug 4 14:57:16 2011 +0200
Better check for valid filename
-----------------------------------------------------------------------
Summary of changes: file_echo.php | 22 +++++++++++++++++++--- 1 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/file_echo.php b/file_echo.php index 7b27ffa..f829853 100644 --- a/file_echo.php +++ b/file_echo.php @@ -15,16 +15,32 @@ if (isset($_REQUEST['filename']) && isset($_REQUEST['image'])) { 'image/svg+xml' => 'svg', );
+ /* Check whether MIME type is allowed */ if (! isset($allowed[$_REQUEST['type']])) { die('Invalid export type'); }
- if (! preg_match("/(".implode("|",$allowed).")$/i", $_REQUEST['filename'])) { - $_REQUEST['filename'] .= '.' . $allowed[$_REQUEST['type']]; + /* + * Check file name to match mime type and not contain new lines + * to prevent response splitting. + */ + if (! preg_match('/^[^\n\r]*.' . $allowed[$_REQUEST['type']] . '$/', $_REQUEST['filename'])) { + if (! preg_match('/^[^\n\r]*$/', $_REQUEST['filename'])) { + /* Add extension */ + $filename = 'dowload.' . $allowed[$_REQUEST['type']]; + } else { + /* Filename is unsafe, discard it */ + $filename = $_REQUEST['filename'] . '.' . $allowed[$_REQUEST['type']]; + } + } else { + /* Filename from request should be safe here */ + $filename = $_REQUEST['filename']; }
- PMA_download_header($_REQUEST['filename'], $_REQUEST['type']); + /* Send download header */ + PMA_download_header($filename, $_REQUEST['type']);
+ /* Send data */ if ($allowed[$_REQUEST['type']] != 'svg') { echo base64_decode(substr($_REQUEST['image'], strpos($_REQUEST['image'],',') + 1)); } else {
hooks/post-receive