Update of /cvsroot/phpwiki/phpwiki/lib/plugin
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv9325
Modified Files:
UpLoad.php
Log Message:
Important security fix!
Disallow files like "deface.php.3" also. Those are actually in the wild!
Index: UpLoad.php
===================================================================
RCS file: /cvsroot/phpwiki/phpwiki/lib/plugin/UpLoad.php,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -2 -b -p -d -r1.22 -r1.23
--- UpLoad.php 17 Feb 2007 14:16:56 -0000 1.22
+++ UpLoad.php 8 Apr 2007 12:43:45 -0000 1.23
@@ -145,5 +145,5 @@ ws[cfh]");
$userfile_tmpname = $userfile->getTmpName();
$err_header = HTML::h2(fmt("ERROR uploading '%s': ",
$userfile_name));
- if (preg_match("/(\." . join("|\.", $this->disallowed_extensions)
. ")\$/",
+ if (preg_match("/(\." . join("|\.", $this->disallowed_extensions)
. ")(\.|\$)/",
$userfile_name))
{
@@ -240,4 +240,8 @@ ws[cfh]");
// $Log$
+// Revision 1.23 2007/04/08 12:43:45 rurban
+// Important security fix!
+// Disallow files like "deface.php.3" also. Those are actually in the wild!
+//
// Revision 1.22 2007/02/17 14:16:56 rurban
// allow spaces in filenames
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
|
