From 64d9d1ec12be9f02459a5e5c8a9124fc97686529 Mon Sep 17 00:00:00 2001 From: nopesled Date: Thu, 7 Jul 2016 17:40:47 +0100 Subject: Update path_helper.php Protect against RFI via php:// wrapper --- system/helpers/path_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/helpers/path_helper.php b/system/helpers/path_helper.php index 838ece9e9..f3757affb 100644 --- a/system/helpers/path_helper.php +++ b/system/helpers/path_helper.php @@ -61,7 +61,7 @@ if ( ! function_exists('set_realpath')) function set_realpath($path, $check_existance = FALSE) { // Security check to make sure the path is NOT a URL. No remote file inclusion! - if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path ) + if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|php)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path ) { show_error('The path you submitted must be a local server path, not a URL'); } -- cgit v1.2.3-24-g4f1b From 85eaa0bff12574b8a1c08b68942ff070e6bb341c Mon Sep 17 00:00:00 2001 From: nopesled Date: Thu, 7 Jul 2016 17:48:22 +0100 Subject: Update path_helper.php --- system/helpers/path_helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/helpers/path_helper.php b/system/helpers/path_helper.php index f3757affb..18e175093 100644 --- a/system/helpers/path_helper.php +++ b/system/helpers/path_helper.php @@ -61,7 +61,7 @@ if ( ! function_exists('set_realpath')) function set_realpath($path, $check_existance = FALSE) { // Security check to make sure the path is NOT a URL. No remote file inclusion! - if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|php)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path ) + if (preg_match('#^(http:\/\/|https:\/\/|www\.|ftp|php:\/\/)#i', $path) OR filter_var($path, FILTER_VALIDATE_IP) === $path ) { show_error('The path you submitted must be a local server path, not a URL'); } -- cgit v1.2.3-24-g4f1b