| Revisão | 249d6d4ecd2a84e4bc75e7b1fcf92352ccca41ae (tree) |
|---|---|
| Hora | 2008-12-16 09:50:07 |
| Autor | kmorimatsu <kmorimatsu@1ca2...> |
| Commiter | kmorimatsu |
MEDIA::isValidCollection()
git-svn-id: https://svn.sourceforge.jp/svnroot/nucleus-jp/nucleus-jp/branches/branch-3-3@727 1ca29b6e-896d-4ea0-84a5-967f57386b96
euc/nucleus/libs/MEDIA.php (diff) utf8/nucleus/libs/MEDIA.php (diff)| @@ -102,14 +102,22 @@ class MEDIA { | ||
| 102 | 102 | function isValidCollection($collectionName) { |
| 103 | 103 | global $member, $DIR_MEDIA; |
| 104 | 104 | |
| 105 | + // allow creating new private directory | |
| 106 | + if (preg_match('#^[0-9]+[/\\\\]?$#',$collectionName)) | |
| 107 | + return ((int)$member->getID() == (int)$collectionName); | |
| 108 | + | |
| 105 | 109 | // avoid directory traversal |
| 110 | + // note that preg_replace() is requred to remove the last "/" or "\" if exists | |
| 106 | 111 | $media = realpath($DIR_MEDIA); |
| 112 | + $media = preg_replace('#[/\\\\]+$#','',$media); | |
| 107 | 113 | $collectionDir = realpath( $DIR_MEDIA . $collectionName ); |
| 108 | - if (strpos($collectionDir,$media)!==0) return false; | |
| 114 | + $collectionDir = preg_replace('#[/\\\\]+$#','',$collectionDir); | |
| 115 | + if (strpos($collectionDir,$media)!==0 || $collectionDir == $media) return false; | |
| 109 | 116 | |
| 110 | 117 | // private collections only accept uploads from their owners |
| 111 | - $collectionName=substr($collectionDir,strlen($media)); | |
| 112 | - if (preg_match('/^[0-9]+[\/\\\\]?$/',$collectionName)) | |
| 118 | + // The "+1" of "strlen($media)+1" corresponds to "/" or "\". | |
| 119 | + $collectionName=substr($collectionDir,strlen($media)+1); | |
| 120 | + if (preg_match('/^[0-9]+$/',$collectionName)) | |
| 113 | 121 | return ((int)$member->getID() == (int)$collectionName); |
| 114 | 122 | |
| 115 | 123 | // other collections should exists and be writable |
| @@ -102,14 +102,22 @@ class MEDIA { | ||
| 102 | 102 | function isValidCollection($collectionName) { |
| 103 | 103 | global $member, $DIR_MEDIA; |
| 104 | 104 | |
| 105 | + // allow creating new private directory | |
| 106 | + if (preg_match('#^[0-9]+[/\\\\]?$#',$collectionName)) | |
| 107 | + return ((int)$member->getID() == (int)$collectionName); | |
| 108 | + | |
| 105 | 109 | // avoid directory traversal |
| 110 | + // note that preg_replace() is requred to remove the last "/" or "\" if exists | |
| 106 | 111 | $media = realpath($DIR_MEDIA); |
| 112 | + $media = preg_replace('#[/\\\\]+$#','',$media); | |
| 107 | 113 | $collectionDir = realpath( $DIR_MEDIA . $collectionName ); |
| 108 | - if (strpos($collectionDir,$media)!==0) return false; | |
| 114 | + $collectionDir = preg_replace('#[/\\\\]+$#','',$collectionDir); | |
| 115 | + if (strpos($collectionDir,$media)!==0 || $collectionDir == $media) return false; | |
| 109 | 116 | |
| 110 | 117 | // private collections only accept uploads from their owners |
| 111 | - $collectionName=substr($collectionDir,strlen($media)); | |
| 112 | - if (preg_match('/^[0-9]+[\/\\\\]?$/',$collectionName)) | |
| 118 | + // The "+1" of "strlen($media)+1" corresponds to "/" or "\". | |
| 119 | + $collectionName=substr($collectionDir,strlen($media)+1); | |
| 120 | + if (preg_match('/^[0-9]+$/',$collectionName)) | |
| 113 | 121 | return ((int)$member->getID() == (int)$collectionName); |
| 114 | 122 | |
| 115 | 123 | // other collections should exists and be writable |
Fork