Commit 3798d1c2 authored by Pablo Rauzy's avatar Pablo Rauzy
Browse files

fix potential security issue

parent 51817c45
......@@ -791,10 +791,10 @@ elseif (isset($_GET['newpage'])) {
}
$group = $db->escapeString($_POST['new_group']);
$title_db = $db->escapeString(htmlspecialchars($title, ENT_HTML5 | ENT_QUOTES, 'UTF-8'));
$type = $_POST['new_type'];
$type = array('page' => 'page', 'link' => 'link')[$_POST['new_type']];
$prefix = str_replace('..', '', $_POST['new_folder']);
$suffix = ($type == 'link') ? '' : '.html';
if ($_POST['new_file'] == 'AUTO') {
$suffix = ($type == 'link') ? '' : '.html';
setlocale(LC_ALL, locale_accept_from_http($_SERVER['HTTP_ACCEPT_LANGUAGE']));
$file = $prefix.strtolower(preg_replace('/[^A-Za-z0-9-]+/', '-', iconv('utf-8', 'us-ascii//TRANSLIT', $title)));
if ($db->querySingle("select 1 from pages where file='$file$suffix'")) {
......@@ -806,6 +806,7 @@ elseif (isset($_GET['newpage'])) {
}
else {
$file = $prefix.str_replace('..', '', $_POST['new_file']);
if ($type == 'page' && (substr($file, -5) != '.html')) { $file .= '.html'; }
}
$status = ($type == 'link') ? 'lnk' : 'new';
$content = ($type == 'link') ? $settings['url'] : $db->escapeString("<h2>$title</h2><p>Nothing here yet.</p>");
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment