Changeset 1187 for trunk/action.php


Ignore:
Timestamp:
Apr 16, 2006, 12:53:01 PM (18 years ago)
Author:
chrisaga
Message:
  • security : add some control to download url. Somebody sould take it over for other controls
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/action.php

    r986 r1187  
    6666if ( isset( $_GET['dwn'] ) )
    6767{
    68 //TODO : verify the path begins with './gallerie' and doesn't contains any '..'
    69 // in order to avoid hacking atempts
     68//TODO : verify the path begins with something in galleries_url and that user has access rights to the picture
     69// in order to avoid hacking atempts by forged url
     70  if (preg_match('/\.\./',$_GET['dwn'])) {
     71    die('Hacking attempt!');
     72  }
    7073  force_download($_GET['dwn']);
    7174}
Note: See TracChangeset for help on using the changeset viewer.