From 894c718a415839f3683daaf251f15c3793358408 Mon Sep 17 00:00:00 2001
From: Romain d'Alverny <rda@mageia.org>
Date: Thu, 24 May 2012 13:45:08 +0000
Subject: check path of files to diff

---
 langs/diff.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'langs/diff.php')

diff --git a/langs/diff.php b/langs/diff.php
index f0518d5ad..e9a3c44f8 100644
--- a/langs/diff.php
+++ b/langs/diff.php
@@ -18,7 +18,6 @@ if (!file_exists($source_file)) {
 }
 
 include 'lib.php';
-include '../langs.inc.php';
 
 $target_file = _lang_file_switch($source_file, $target_lang);
 
@@ -26,6 +25,15 @@ if (!file_exists($target_file)) {
     die('no target');
 }
 
+$source_file = realpath($source_file);
+$target_file = realpath($target_file);
+
+if (false === strstr($source_file, '/langs/') ||
+    false == strstr($target_file, '/langs/')) {
+    die('no sorry');
+}
+
+
 $diff = _lang_diff($source_file, $target_file);
 
 $s = '<a href="report.php">&laquo; back to langs report</a>';
-- 
cgit v1.2.1