diff options
| author | zotlabs <mike@macgirvin.com> | 2017-10-09 15:13:25 -0700 |
|---|---|---|
| committer | zotlabs <mike@macgirvin.com> | 2017-10-09 15:13:25 -0700 |
| commit | 623dfa13845e34c85eae2a66c6aa855c3e059c38 (patch) | |
| tree | 70fbe8f95501df8c264b65dcd08e1b5b9d2898ab /include | |
| parent | 23812e5b48b7a4d4f0c275c0fbb3d244a582397c (diff) | |
| download | volse-hubzilla-623dfa13845e34c85eae2a66c6aa855c3e059c38.tar.gz volse-hubzilla-623dfa13845e34c85eae2a66c6aa855c3e059c38.tar.bz2 volse-hubzilla-623dfa13845e34c85eae2a66c6aa855c3e059c38.zip | |
purify user-supplied filenames in some cases. Probably not needed but it's the right thing to do.
Diffstat (limited to 'include')
| -rw-r--r-- | include/nav.php | 4 | ||||
| -rw-r--r-- | include/text.php | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/include/nav.php b/include/nav.php index 588104eda..718e7befa 100644 --- a/include/nav.php +++ b/include/nav.php @@ -275,8 +275,8 @@ EOT; } } - $c = theme_include('navbar_' . $template . '.css'); - $tpl = get_markup_template('navbar_' . $template . '.tpl'); + $c = theme_include('navbar_' . purify_filename($template) . '.css'); + $tpl = get_markup_template('navbar_' . purify_filename($template) . '.tpl'); if($c && $tpl) { head_add_css('navbar_' . $template . '.css'); diff --git a/include/text.php b/include/text.php index 80914747b..8a65be0d5 100644 --- a/include/text.php +++ b/include/text.php @@ -3156,3 +3156,9 @@ function ellipsify($s,$maxlen) { return mb_substr($s,0,$maxlen / 2) . '...' . mb_substr($s,mb_strlen($s) - ($maxlen / 2)); } + +function purify_filename($s) { + if(($s[0] === '.') || strpos($s,'/') !== false) + return ''; + return $s; +} |