ISPConfig3 devel
parent: 209188b3 | patch | commit | show whitespace
tbrehm
2009-09-14 60bc9cd92e5e36f0719ec57472e53784b9cc3dbd 
Improved regex for module and filename check in content.php and changed relative path to absolute path in include statement. Many thanks to Mirko for finding this.
1 files modified
12 ■■■■ changed files
interface/web/content.php 12 ●●●● patch | view | raw | blame | history 
 interface/web/content.php


@@ -34,12 +34,12 @@


$module = $_REQUEST["s_mod"];



$page = $_REQUEST["s_pg"];







if(!preg_match("/^[a-z]{0,20}$/i", $module)) die('module name contains unallowed chars.');



if(!preg_match("/^[a-z]{0,20}$/i", $page)) die('page name contains unallowed chars.');



if(!preg_match("/^[a-z]{2,20}$/i", $module)) die('module name contains unallowed chars.');


if(!preg_match("/^[a-z]{2,20}$/i", $page)) die('page name contains unallowed chars.');






if(is_file("$module/$page.php")) {



if(is_file(ISPC_WEB_PATH."/$module/$page.php")) {


    



    include_once("$module/$page.php");



    include_once(ISPC_WEB_PATH."/$module/$page.php");






    $classname = $module.'_'.$page;



    $page = new $classname();



@@ -54,8 +54,8 @@


        if(!preg_match("/^[a-z]{2,20}$/i", $module)) die('target module name contains unallowed chars.');



        if(!preg_match("/^[a-z]{2,20}$/i", $page)) die('target page name contains unallowed chars.');



        



        if(is_file("$module/$page.php")) {



            include_once("$module/$page.php");



        if(is_file(ISPC_WEB_PATH."/$module/$page.php")) {


            include_once(ISPC_WEB_PATH."/$module/$page.php");


            



            $classname = $module.'_'.$page;



            $page = new $classname();