diff options
author | Andrey Andreev <narf@devilix.net> | 2016-07-26 18:37:23 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-07-26 18:37:23 +0200 |
commit | a9874a638970ef826f835718e58b197ff3672566 (patch) | |
tree | 2ca214ccfeff6d7bc7655b3071c9d3e06923e151 /system/helpers | |
parent | 121aea89e2eb6a4d48de83d2618b263b5c87dd75 (diff) | |
parent | c1699561a68501dd25e558871b18eb9fbed3e017 (diff) |
Merge pull request #4709 from nopesled/develop
Filter php:// wrappers in set_realpath() helper
Diffstat (limited to 'system/helpers')
-rw-r--r-- | system/helpers/path_helper.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/system/helpers/path_helper.php b/system/helpers/path_helper.php index 838ece9e9..18e175093 100644 --- a/system/helpers/path_helper.php +++ b/system/helpers/path_helper.php @@ -61,7 +61,7 @@ if ( ! function_exists('set_realpath')) function set_realpath($path, $check_existance = FALSE) { // Security check to make sure the path is NOT a URL. No remote file inclusion! - if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path ) + if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|php:\/\/)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path ) { show_error('The path you submitted must be a local server path, not a URL'); } |