Project

General

Profile

« Previous | Next » 

Revision 1400

Added by FrankH over 13 years ago

  1. Security fix in account
  2. Security fix in admin/media, thanks to hal 9000

View differences:

delete.php
1 1 
<?php
2 
/**
3 
 *
4 
 * @category        admin
5 
 * @package         admintools
6 
 * @author          WebsiteBaker Project
7 
 * @copyright       2004-2009, Ryan Djurovich
8 
 * @copyright       2009-2011, Website Baker Org. e.V.
9 
 * @link			http://www.websitebaker2.org/
10 
 * @license         http://www.gnu.org/licenses/gpl.html
11 
 * @platform        WebsiteBaker 2.8.x
12 
 * @requirements    PHP 5.2.2 and higher
13 
 * @version         $Id$
14 
 * @filesource		$HeadURL:  $
15 
 * @lastmodified    $Date:  $
16 
 *
17 
 */
2 18 

  		




  3
  
  
    
// $Id$


  		




  4
  
  
    

  		




  5
  
  
    
/*


  		




  6
  
  
    

  		




  7
  
  
    
 Website Baker Project <http://www.websitebaker.org/>


  		




  8
  
  
    
 Copyright (C) 2004-2009, Ryan Djurovich


  		




  9
  
  
    

  		




  10
  
  
    
 Website Baker is free software; you can redistribute it and/or modify


  		




  11
  
  
    
 it under the terms of the GNU General Public License as published by


  		




  12
  
  
    
 the Free Software Foundation; either version 2 of the License, or


  		




  13
  
  
    
 (at your option) any later version.


  		




  14
  
  
    

  		




  15
  
  
    
 Website Baker is distributed in the hope that it will be useful,


  		




  16
  
  
    
 but WITHOUT ANY WARRANTY; without even the implied warranty of


  		




  17
  
  
    
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the


  		




  18
  
  
    
 GNU General Public License for more details.


  		




  19
  
  
    

  		




  20
  
  
    
 You should have received a copy of the GNU General Public License


  		




  21
  
  
    
 along with Website Baker; if not, write to the Free Software


  		




  22
  
  
    
 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA


  		




  23
  
  
    

  		




  24
  
  
    
*/


  		




  25
  
  
    

  		




  26
  19
  
    
// Create admin object


  		




  27
  20
  
    
require('../../config.php');


  		




  28
  21
  
    
require_once(WB_PATH.'/framework/class.admin.php');


  		




  ......




  36
  29
  
    
if($directory == '/') {


  		




  37
  30
  
    
	$directory = '';


  		




  38
  31
  
    
}


  		




  39
  
  
    
// Check to see if it contains ../


  		




  40
  
  
    
if(strstr($directory, '../')) {


  		




  
  32
  
    

  		




  
  33
  
    
// Check to see if it contains ..


  		




  
  34
  
    
if (!check_media_path($directory)) {


  		




  41
  35
  
    
	$admin->print_header();


  		




  42
  36
  
    
	$admin->print_error($MESSAGE['MEDIA']['DOT_DOT_SLASH']);


  		




  43
  37
  
    
}


  		




  44
  38
  
    

  		




  45
  39
  
    
// Get the temp id


  		




  46
  
  
    
if(!is_numeric($admin->get_get('id'))) {


  		




  47
  
  
    
	header("Location: browse.php?dir=$directory");


  		




  48
  
  
    
	exit(0);


  		




  49
  
  
    
} else {


  		




  50
  
  
    
	$file_id = $admin->get_get('id');


  		




  
  40
  
    
$file_id = $admin->checkIDKEY('id', false, 'GET');


  		




  
  41
  
    
if (!$file_id) {


  		




  
  42
  
    
	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], WB_URL);


  		




  51
  43
  
    
}


  		




  52
  44
  
    

  		




  53
  45
  
    
// Get home folder not to show


  		












Also available in:  Unified diff