Skip to content

Commit

Permalink
QA: Further hardening of External Links
Browse files Browse the repository at this point in the history
Attribution: Aleksey Solovev (Positive Technologies)
Advisory forthcoming.
  • Loading branch information
TheWitness committed Nov 22, 2023
1 parent 261adbc commit a2af4f8
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions link.php
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,11 @@
} else {
print '<div id="content">';

$file = CACTI_PATH_INCLUDE . '/content/' . basename($page['contentfile']);
$basepath = CACTI_PATH_INCLUDE . '/content';
$file = realpath($basepath . '/' . $page['contentfile']);

if (file_exists($file)) {
include_once($file);
if ($file !== false && substr($file, 0, strlen($basepath)) == $basepath) {
print file_get_contents($file);
} else {
print '<h1>The file \'' . html_escape($page['contentfile']) . '\' does not exist!!</h1>';
}
Expand Down

0 comments on commit a2af4f8

Please sign in to comment.