Skip to content
This repository has been archived by the owner on Oct 9, 2022. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
Patched potential file path exploit
Fixed an exploit that could have allowed users to specify file
paths elsewhere on the file system to view or delete.
  • Loading branch information
Alexander Breen committed Jan 30, 2015
1 parent 42dff21 commit 6206406
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 0 deletions.
4 changes: 4 additions & 0 deletions delete.php
Expand Up @@ -20,6 +20,10 @@
$num = $_GET['num'];
$type = $_GET['type'];

// protects against attacks where '..' could be used in file path
if (basename($_GET['file']) !== $_GET['file'])
trigger_error('invalid file path');

delete_file($num, $type, $_SESSION['username'], $_GET['file']);

$vars = array();
Expand Down
4 changes: 4 additions & 0 deletions download.php
Expand Up @@ -21,6 +21,10 @@
$type = $_GET['type'];
$assignment_name = htmlspecialchars(assignment_name($num, $type));

// protects against attacks where '..' could be used in file path
if (basename($_GET['file']) !== $_GET['file'])
trigger_error('invalid file path');

$path = submission_path($num, $type, $_SESSION['username'], $_GET['file']);

if (!file_exists($path))
Expand Down
4 changes: 4 additions & 0 deletions view_file.php
Expand Up @@ -21,6 +21,10 @@
$type = $_GET['type'];
$assignment_name = htmlspecialchars(assignment_name($num, $type));

// protects against attacks where '..' could be used in file path
if (basename($_GET['file']) !== $_GET['file'])
trigger_error('invalid file path');

$path = submission_path($num, $type, $_SESSION['username'], $_GET['file']);

if (!file_exists($path))
Expand Down

0 comments on commit 6206406

Please sign in to comment.