diff options
| author | nashe <thomas@chauchefoin.fr> | 2018-04-29 23:31:20 +0200 |
|---|---|---|
| committer | nashe <thomas@chauchefoin.fr> | 2018-04-29 23:31:20 +0200 |
| commit | cfbc2eee5d971d33c07597a992b41a1507b6fba5 (patch) | |
| tree | 01d0f76bdc69fa71ce2100285df7fd1c5765fb21 | |
| parent | 1190ec50eaff97125861d80a051ad90499c4841b (diff) | |
| download | planet-cfbc2eee5d971d33c07597a992b41a1507b6fba5.tar planet-cfbc2eee5d971d33c07597a992b41a1507b6fba5.tar.gz planet-cfbc2eee5d971d33c07597a992b41a1507b6fba5.tar.bz2 planet-cfbc2eee5d971d33c07597a992b41a1507b6fba5.tar.xz planet-cfbc2eee5d971d33c07597a992b41a1507b6fba5.zip | |
Be more strict with $_GET[type] filtering before inclusion
| -rwxr-xr-x | index.php | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -36,7 +36,7 @@ if (isset($_GET['type']) && $_GET['type'] == 'atom10') { //Go display if (!isset($_GET['type']) || !is_file(__DIR__.'/custom/views/'.$_GET['type'].'/index.tpl.php') || - strpos($_GET['type'], DIRECTORY_SEPARATOR)){ + strpos($_GET['type'], DIRECTORY_SEPARATOR) || strpos($GET['type'], '..')){ $_GET['type'] = 'default'; } |