From 9bb302b92ca58d9204290363b190ef4b57009ec6 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 9 Nov 2014 22:29:25 +0100
Subject: [ticket/security-169] Stop loop through referer dir in top directory

SECURITY-169
---
 phpBB/phpbb/path_helper.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'phpBB/phpbb/path_helper.php')

diff --git a/phpBB/phpbb/path_helper.php b/phpBB/phpbb/path_helper.php
index 936564d8b6..3c4f17d1b7 100644
--- a/phpBB/phpbb/path_helper.php
+++ b/phpBB/phpbb/path_helper.php
@@ -278,10 +278,16 @@ class path_helper
 			$referer_dir = dirname($referer_dir);
 		}
 
-		while (strpos($absolute_board_url, $referer_dir) !== 0)
+		while (($dir_position = strpos($absolute_board_url, $referer_dir)) !== 0)
 		{
 			$fixed_root_path .= '../';
 			$referer_dir = dirname($referer_dir);
+
+			// Just return phpbb_root_path if we reach the top directory
+			if ($referer_dir === '.')
+			{
+				return $this->phpbb_root_path;
+			}
 		}
 
 		$fixed_root_path .= substr($absolute_board_url, strlen($referer_dir) + 1);
-- 
cgit v1.2.1