View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0010003 | mantisbt | plug-ins | public | 2008-12-28 17:53 | 2009-01-15 11:25 |
Reporter | NT | Assigned To | jreese | ||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Product Version | git trunk | ||||
Target Version | 1.2.0a3 | Fixed in Version | 1.2.0a3 | ||
Summary | 0010003: plugin_file.php cannot access subdirectories. | ||||
Description | plugin_file.php is used to access files in plugins/xxxx/files. | ||||
Tags | No tags attached. | ||||
Attached Files | 0001-Allow-plugin_file.php-to-fetch-from-subdirectories-o.patch (825 bytes)
From bda24faa27d288a40608eeac167f11057f80d0db Mon Sep 17 00:00:00 2001 From: Nick Tucker <nkjtkr+mantis@googlemail.com> Date: Sun, 28 Dec 2008 22:15:45 +0000 Subject: [PATCH] Allow plugin_file.php to fetch from subdirectories of the plugins "files" directory. --- plugin_file.php | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/plugin_file.php b/plugin_file.php index 6ddd05b..cc38790 100644 --- a/plugin_file.php +++ b/plugin_file.php @@ -33,7 +33,7 @@ $t_plugin_path = config_get( 'plugin_path' ); $f_file = gpc_get_string( 'file' ); $t_matches = array(); -if ( !preg_match( '/^([a-zA-Z0-9_-]*)\/([a-zA-Z0-9._-]*)/', $f_file, $t_matches ) ) { +if ( !preg_match( '/^([a-zA-Z0-9_-]*)\/([\/a-zA-Z0-9._-]*)/', $f_file, $t_matches ) ) { trigger_error( ERROR_GENERIC, ERROR ); } -- 1.5.6.4 | ||||
MantisBT: master eaab5fd5 2009-01-03 15:14 Details Diff |
Fix 0010003: Allow plugin_file() and plugin_page() limited access to subdirectories. This should disallow absolute paths, and relative ../ type of parent paths, for security reasons. |
Affected Issues 0010003 |
|
mod - plugin_file.php | Diff File | ||
mod - plugin.php | Diff File |