v1.5 - Improve sanitization.

-v1.5. -Improve sanitization. -Based on input from neogeovr on Reddit.
zelon88 · Nov 19, 2018 · c65891b · c65891b
1 parent 06a644a
commit c65891b
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 11 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,3 +1,11 @@
+COMMIT 11/18/2018
+v1.5 - Improve sanitization.
+
+-v1.5.
+-Improve sanitization.
+-Based on input from neogeovr on Reddit.
+
+--------------------
 COMMIT 10/24/2018
 v1.4 - Fix bugs with auto cleanup of files.
 

diff --git a/sanitizeCore.php b/sanitizeCore.php
@@ -37,16 +37,16 @@
 // / -----------------------------------------------------------------------------------
 // / Sanitize the Token GET variable.
 if (isset($_POST['Token1'])) {
-  $Token1 = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_POST['Token1']); }
+  $Token1 = str_replace('//', '/', str_replace('..', '', str_replace(str_split('|~#[](){};:$!#^&%@>*<"\''), '', $_POST['Token1']))); }
 if (isset($_POST['Token2'])) {
-  $Token2 = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_POST['Token2']); }
+  $Token2 = str_replace('//', '/', str_replace('..', '', str_replace(str_split('|~#[](){};:$!#^&%@>*<"\''), '', $_POST['Token2']))); }
 // / -----------------------------------------------------------------------------------
 
 // / -----------------------------------------------------------------------------------
 // / Sanitize the noGui GET variable to disable the descriptive header text.
 // / Good for usage in a small iframe.
 if (isset($_POST['noGui'])) {
-  $_GET = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_GET['noGui']); }
+  $_GET = str_replace('//', '/', str_replace('..', '', str_replace(str_split('|~#[](){};:$!#^&%@>*<"\''), '', $_GET['noGui']))); }
 // / -----------------------------------------------------------------------------------
 
 // / -----------------------------------------------------------------------------------

diff --git a/scanCore.php b/scanCore.php
@@ -50,7 +50,7 @@
 
 // / -----------------------------------------------------------------------------------
 // / The following code sets the global variables for the session.
-$HRScanVersion = 'v1.4';
+$HRScanVersion = 'v1.5';
 $versions = 'PHP-AV App v3.8 | Virus Definition v4.7, 8/19/2018';
 $Date = date("m_d_y");
 $Time = date("F j, Y, g:i a"); 
@@ -69,14 +69,14 @@
 $ScanGuiCounter1 = $ConsolidateLogs = 0;
 $LogFile = $LogDir.'/HRScan2_'.$LogInc.'_'.$Date.'_'.substr($SesHash4, -7).'_'.substr($SesHash, -7).'.txt';
 $ClamLogFileName = 'ClamScan_'.$Date.'_'.substr($SesHash4, -7).'_'.substr($SesHash, -7).'.txt';
-$ClamLogFile = $ScanDir.'/'.$ClamLogFileName;
-$ClamLogTempFile = $ScanTempDir.'/'.$ClamLogFileName;
+$ClamLogFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanDir.'/'.$ClamLogFileName)));
+$ClamLogTempFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanTempDir.'/'.$ClamLogFileName)));
 $PHPAVLogFileName = 'PHPAVScan_'.$Date.'_'.substr($SesHash4, -7).'_'.substr($SesHash, -7).'.txt';
-$PHPAVLogFile = $ScanDir.'/'.$PHPAVLogFileName;
-$PHPAVLogTempFile = $ScanTempDir.'/'.$PHPAVLogFileName;
+$PHPAVLogFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanDir.'/'.$PHPAVLogFileName)));
+$PHPAVLogTempFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanTempDir.'/'.$PHPAVLogFileName)));
 $ConsolidatedLogFileName = 'ScanAll_'.$Date.'_'.substr($SesHash4, -7).'_'.substr($SesHash, -7).'.txt';
-$ConsolidatedLogFile = $ScanDir.'/'.$ConsolidatedLogFileName;
-$ConsolidatedLogTempFile = $ScanTempDir.'/'.$ConsolidatedLogFileName;
+$ConsolidatedLogFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanDir.'/'.$ConsolidatedLogFileName)));
+$ConsolidatedLogTempFile = str_replace('//', '/', str_replace('..', '', str_replace('//','/', $ScanTempDir.'/'.$ConsolidatedLogFileName)));
 $defaultLogDir = $InstLoc.'/Logs';
 $defaultLogSize = '1048576';
 $defaultApps = array('index.html', '.', '..', '..');

diff --git a/versionInfo.php b/versionInfo.php
@@ -1,4 +1,4 @@
 <?php 
 // / This file contains the current HRScan2 version for auto-update purposes.
 
-$Version = 'v1.4';
+$Version = 'v1.5';