[Tickets #7646] Re: Driver 'file' fails to open files with '..' anywhere in name
bugs at horde.org
bugs at horde.org
Thu Nov 6 13:38:34 UTC 2008
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/7646
------------------------------------------------------------------------------
Ticket | 7646
Updated By | andrew at aklabs.net
Summary | Driver 'file' fails to open files with '..' anywhere
| in name
Queue | Gollem
Version | 1.0.3
Type | Bug
State | Feedback
Priority | 2. Medium
Milestone |
Patch | 1
Owners |
------------------------------------------------------------------------------
andrew at aklabs.net (2008-11-06 08:38) wrote:
> What about paths like file.pdf/../../../etc/passwd ?
I tried that, and it's stripped out. Any filename that has / in it (on
my unix box, at least) will only use the portion after the last / , as
if you had run 'basename' against it. So in this case the file is
simply renamed 'passwd' in the current directory.
> Much less importantly, ereg_* is deprecated and against Horde CS;
> please use the pcre functions instead (although this particular case
> doesn't even need a regex).
I just used a regex 'cause it was the only way I knew for sure to only
check the beginning of the string. I'll submit another patch later
today that uses pcre instead.
More information about the bugs
mailing list