+
+2006-05-15 Martin Kutschker <martin.t.kutschker@blackbox.net>
+
+ * Fix bug #3364: Changed t3lib_div::validPathStr() that it rejects files starting with ../ or containing /../, but allows ..
+
2006-05-05 Stanislas Rolland <stanislas.rolland@fructifor.ca>
* Fixes and features to htmlArea RTE extension (see details in local ChangeLog)
* Usage: 14
*
* @param string Filepath to evaluate
- * @return boolean True, if no '//', '..' or '\' is in the $theFile
+ * @return boolean True, if no '//', '\', '/../' is in the $theFile and $theFile doesn't begin with '../'
* @todo Possible improvement: Should it rawurldecode the string first to check if any of these characters is encoded ?
*/
function validPathStr($theFile) {
- if (!strstr($theFile,'//') && !strstr($theFile,'..') && !strstr($theFile,'\\')) return true;
+ if (!strstr($theFile,'//') && !strstr($theFile,'\\') && !preg_match('|(?:^\.\.|/\.\./|',$theFile)) return true;
}
/**