'../' is no good for us.

2003-03-11 19:24:48 +00:00
parent 667259f19b
commit 127b2a4577
2 changed files with 2 additions and 3 deletions
--- a/3
+++ b/3
@@ -12,8 +12,7 @@ $Source$
      a subdirectory of phpMyAdmin ('docSQL' proposed) OR upload each
      file on its own via File Upload (if $is_upload is true).
      Filenames not matching the converter will no more printed out to
-      maintain security.
-    
+      maintain security. Permits input of '../'.
    * transformation_wrapper.php3 - Remove $err_url, because if a query
      fails here, the user won't get to see the error string anyways.
      Can happen if you want to display a blob without having an index
--- a/db_details_importdocsql.php3
+++ b/db_details_importdocsql.php3
@@ -206,7 +206,7 @@ if (isset($do) && $do == 'import') {
    } else {
        
        // echo '<h1>Starting Import</h1>';
-        $docpath = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . $docpath;
+        $docpath = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . str_replace('../', './', $docpath);
        if (substr($docpath, strlen($docpath) - 2, 1) != '/') {
            $docpath = $docpath . '/';
        }