hardening: validate XML/KML output paths to prevent directory traversal

[somethingwithproof]

Problem

xmlCreate() and kmlCreate() in includes/polling/functions.php write XML/KML files to a path constructed from $config['base_path'] combined with a caller-supplied $preemptive value:

$filename = $config['base_path'] . '/plugins/gpsmap/XML/' . trim($preemptive, '.') . '.xml';

trim($preemptive, '.') strips leading/trailing dots but does not prevent ../ sequences in the middle of the string. If the caller can supply $preemptive, this results in an arbitrary write primitive.

Remediation

Validate $preemptive against an allowlist pattern (e.g. preg_match('/^[A-Za-z0-9_\-]+$/', $preemptive)) before constructing the path, and use realpath() to confirm the resolved path remains within the expected directory.

Severity

Medium — exploitation requires attacker control of $preemptive, which is passed from the polling subsystem rather than directly from user input.