diff options
| author | nopesled <x86sec@yahoo.ie> | 2016-07-07 18:40:47 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-07-07 18:40:47 +0200 |
| commit | 64d9d1ec12be9f02459a5e5c8a9124fc97686529 (patch) | |
| tree | 8f663ae7c2fe33ea9e19f78be2ab6b45090650e9 /system/helpers | |
| parent | c20db3181733f701987d856f793f22b227d21762 (diff) | |
Update path_helper.php
Protect against RFI via php:// wrapper
Diffstat (limited to 'system/helpers')
| -rw-r--r-- | system/helpers/path_helper.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/system/helpers/path_helper.php b/system/helpers/path_helper.php index 838ece9e9..f3757affb 100644 --- a/system/helpers/path_helper.php +++ b/system/helpers/path_helper.php @@ -61,7 +61,7 @@ if ( ! function_exists('set_realpath')) function set_realpath($path, $check_existance = FALSE) { // Security check to make sure the path is NOT a URL. No remote file inclusion! - if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path ) + if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|php)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path ) { show_error('The path you submitted must be a local server path, not a URL'); } |