From 127b2a45775347f9b1f74bf58da70bdb859b66c2 Mon Sep 17 00:00:00 2001
From: Garvin Hicking <me@supergarv.de>
Date: Tue, 11 Mar 2003 19:24:48 +0000
Subject: [PATCH] '../' is no good for us.

---
 ChangeLog                    | 3 +--
 db_details_importdocsql.php3 | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index bc02f3731..b6a9edffd 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,8 +12,7 @@ $Source$
       a subdirectory of phpMyAdmin ('docSQL' proposed) OR upload each
       file on its own via File Upload (if $is_upload is true).
       Filenames not matching the converter will no more printed out to
-      maintain security.
-    
+      maintain security. Permits input of '../'.
     * transformation_wrapper.php3 - Remove $err_url, because if a query
       fails here, the user won't get to see the error string anyways.
       Can happen if you want to display a blob without having an index
diff --git a/db_details_importdocsql.php3 b/db_details_importdocsql.php3
index 341eed02a..312a967b6 100644
--- a/db_details_importdocsql.php3
+++ b/db_details_importdocsql.php3
@@ -206,7 +206,7 @@ if (isset($do) && $do == 'import') {
     } else {
         
         // echo '<h1>Starting Import</h1>';
-        $docpath = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . $docpath;
+        $docpath = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . str_replace('../', './', $docpath);
         if (substr($docpath, strlen($docpath) - 2, 1) != '/') {
             $docpath = $docpath . '/';
         }