From ae87964f8cada23f00f7e08d9c690dbefa275fed Mon Sep 17 00:00:00 2001 From: John Campbell Date: Thu, 24 Oct 2019 11:02:19 -0600 Subject: [PATCH] Security fix for #81 (insecure php setups) --- index.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/index.php b/index.php index 3bdc6b9..5d4549c 100644 --- a/index.php +++ b/index.php @@ -59,6 +59,9 @@ if($_POST) { } $file = $_REQUEST['file'] ?: '.'; +// strip url syntax, like file://.... +$file = preg_replace('@^.+://@','',$file); + if($_GET['do'] == 'list') { if (is_dir($file)) { $directory = $file;