From 217b8d78eef89fea9b3fd8adcea32f66934f898a Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Wed, 04 Apr 2012 02:11:26 -0400
Subject: [PATCH] Fixed: FS#2157 - Add new Webdav user" can chmod and chown entire server from client interface

---
 interface/web/sites/webdav_user_edit.php        |    4 +++-
 interface/web/sites/lib/lang/en_webdav_user.lng |    2 ++
 2 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/interface/web/sites/lib/lang/en_webdav_user.lng b/interface/web/sites/lib/lang/en_webdav_user.lng
index 09cf6ff..3d43cfc 100644
--- a/interface/web/sites/lib/lang/en_webdav_user.lng
+++ b/interface/web/sites/lib/lang/en_webdav_user.lng
@@ -13,4 +13,6 @@
 $wb["directory_error_empty"] = 'Directory empty.';
 $wb["parent_domain_id_error_empty"] = 'No website selected.';
 $wb['password_strength_txt'] = 'Password strength';
+$wb['dir_dot_error'] = 'No .. in path allowed.';
+$wb['dir_slashdot_error'] = 'No ./ in path allowed.';
 ?>
diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php
index 5d5a617..2d7dc41 100644
--- a/interface/web/sites/webdav_user_edit.php
+++ b/interface/web/sites/webdav_user_edit.php
@@ -114,7 +114,9 @@
 		 */
 		if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'<br />';
 		if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'<br />';
-
+		if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'<br />';
+		if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'<br />';
+		
 		parent::onSubmit();
 	}
 

--
Gitblit v1.9.1