disallow accessing serious server files via "?goto=".

This commit is contained in:
Alexander M. Turek
2002-08-12 08:43:45 +00:00
parent 82f307edf3
commit 1184150fd9
2 changed files with 8 additions and 1 deletions

View File

@@ -8,6 +8,8 @@ $Source$
2002-08-12 Alexander M. Turek <rabus@users.sourceforge.net>
* libraries/defines_php.lib.php3, Documentation.*, translators.html:
corrected version number.
* libraries/grab_globals.lib.php3: disallow accessing serious server files
via "?goto=".
2002-08-11 Robin Johnson <robbat2@users.sourceforge.net>
### 2.3.0 is released ###

View File

@@ -40,5 +40,10 @@ if (!defined('PMA_GRAB_GLOBALS_INCLUDED')) {
$PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
} // end if
// Securety fix: disallow accessing serious server files via "?goto="
if (isset($goto) && strpos(' ' . $goto, '/') > 0 && substr($goto, 0, 2) != './') {
unset($goto);
} // end if
} // $__PMA_GRAB_GLOBALS_LIB__
?>
?>