Permalink
Browse files

fixes #574, new checks on plugin section in URL

1 parent beee647 commit 9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc @plegall plegall committed Jan 1, 2017
Showing with 7 additions and 1 deletion.
  1. +7 −1 admin/plugin.php
View
@@ -32,10 +32,16 @@
$sections = explode('/', $_GET['section'] );
for ($i=0; $i<count($sections); $i++)
{
- if (empty($sections[$i]) or $sections[$i]=='..')
+ if (empty($sections[$i]))
{
unset($sections[$i]);
$i--;
+ continue;
+ }
+
+ if ($sections[$i] == '..' or !preg_match('/^[a-zA-Z_\.-]+$/', $sections[$i]))
+ {
+ die('invalid section token ['.htmlentities($sections[$i]).']');
}
}

0 comments on commit 9004fdf

Please sign in to comment.