mirrors/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/fox/tt-rss.git synced 2025-12-09 15:01:00 +01:00
Code Issues Projects Releases Wiki Activity

public/cached_url: forbid sending files with extensions

Browse Source
This commit is contained in:
Andrew Dolgov 2019-08-14 10:45:46 +03:00
parent d2f1cbfcb1
commit 39f459eb04
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
classes/handler/public.php
View File

@ -1204,6 +1204,9 @@ class Handler_Public extends Handler {
function cached_url() { function cached_url() {
list ($cache_dir, $filename) = explode("/", $_GET["file"], 2); list ($cache_dir, $filename) = explode("/", $_GET["file"], 2);
// we do not allow files with extensions at the moment
$filename = str_replace(".", "", $filename);
$cache = new DiskCache($cache_dir); $cache = new DiskCache($cache_dir);
if ($cache->exists($filename)) { if ($cache->exists($filename)) {