summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2016-07-26 18:37:23 +0200
committerAndrey Andreev <narf@devilix.net>2016-07-26 18:38:09 +0200
commit0e49b7879f5c40074d77e6aefc4d924cb527abbf (patch)
tree6da7e9f3086c03dc87e8834285e577cce43a32f4 /system
parentc3a6bfdc30fdba41f4cded7c5ecd4b98f65af02d (diff)
Merge pull request #4709 from nopesled/develop
Filter php:// wrappers in set_realpath() helper
Diffstat (limited to 'system')
-rw-r--r--system/helpers/path_helper.php2
1 files changed, 1 insertions, 1 deletions
diff --git a/system/helpers/path_helper.php b/system/helpers/path_helper.php
index 838ece9e9..18e175093 100644
--- a/system/helpers/path_helper.php
+++ b/system/helpers/path_helper.php
@@ -61,7 +61,7 @@ if ( ! function_exists('set_realpath'))
function set_realpath($path, $check_existance = FALSE)
{
// Security check to make sure the path is NOT a URL. No remote file inclusion!
- if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path )
+ if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|php:\/\/)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path )
{
show_error('The path you submitted must be a local server path, not a URL');
}