diff options
| author | Olav Morken <olav.morken@uninett.no> | 2011-10-28 08:17:01 +0000 |
|---|---|---|
| committer | Olav Morken <olav.morken@uninett.no> | 2011-10-28 08:17:01 +0000 |
| commit | cf2658cd47deb154d3250d23e485f7b9ee93488d (patch) | |
| tree | e2fb053671288f74c88bb6ec88cdf82c32b14312 | |
| parent | 0b854969a359a00cec0c009e25cc0e830cb4d08c (diff) | |
| download | simplesamlphp-cf2658cd47deb154d3250d23e485f7b9ee93488d.zip simplesamlphp-cf2658cd47deb154d3250d23e485f7b9ee93488d.tar.gz simplesamlphp-cf2658cd47deb154d3250d23e485f7b9ee93488d.tar.bz2 | |
module.php: Be more paranoid when verifying paths.
Cannot see a way that this can be used to escape the module www
directory, but being more specific in the test won't hurt.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2961 44740490-163a-0410-bde0-09ae8108e29a
| -rw-r--r-- | www/module.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/www/module.php b/www/module.php index 19ccc58..14bfd4c 100644 --- a/www/module.php +++ b/www/module.php @@ -75,9 +75,9 @@ try { * URL will detect both '../' and './'. Searching for '\' will detect attempts to * use Windows-style paths. */ - if (strpos($url, '\\')) { + if (strpos($url, '\\') !== FALSE) { throw new SimpleSAML_Error_BadRequest('Requested URL contained a backslash.'); - } elseif (strpos($url, './')) { + } elseif (strpos($url, './') !== FALSE) { throw new SimpleSAML_Error_BadRequest('Requested URL contained \'./\'.'); } |