From d032345191c57294d5723639f777692c85bd2b1a Mon Sep 17 00:00:00 2001 From: Georg Ehrke Date: Mon, 7 May 2012 13:20:43 +0200 Subject: [PATCH] fix validation of getfile parameter - i hate this bloody merge conflicts --- lib/base.php | 4 ++-- lib/helper.php | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/lib/base.php b/lib/base.php index 40df2b0c56..14f2439ecb 100644 --- a/lib/base.php +++ b/lib/base.php @@ -443,8 +443,8 @@ class OC{ $_GET['getfile'] = $file; } if(!is_null(self::$REQUESTEDFILE)){ - $subdir = OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE; - $parent = OC::$APPSROOT . '/' . self::$REQUESTEDAPP; + $subdir = OC::$APPSROOT . '/apps/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE; + $parent = OC::$APPSROOT . '/apps/' . self::$REQUESTEDAPP; if(!OC_Helper::issubdirectory($subdir, $parent)){ self::$REQUESTEDFILE = null; header('HTTP/1.0 404 Not Found'); diff --git a/lib/helper.php b/lib/helper.php index 2ddd5e7b77..5422d88398 100644 --- a/lib/helper.php +++ b/lib/helper.php @@ -576,14 +576,12 @@ class OC_Helper { return true; } } - /* - echo 'SUB: ' . $sub . "\n"; + /*echo 'SUB: ' . $sub . "\n"; echo 'PAR: ' . $parent . "\n"; echo 'REALSUB: ' . $realpath_sub . "\n"; echo 'REALPAR: ' . $realpath_parent . "\n"; echo substr($realpath_sub, 0, strlen($realpath_parent)); - exit; - */ + exit;*/ return false; } }