Changeset 3075 for trunk/system/libraries/Router.php

Timestamp:

07/11/2008 12:19:58 PM (5 months ago)

Author:

Shadowhand

Message:

Further fixes for #684. We now check to make sure the controller is within the path being searched, to prevent malicious URI segments with dot paths. Can we get any more secure?

Files:

• trunk/system/libraries/Router.php (modified) (3 diffs)

trunk/system/libraries/Router.php

@@ -99 +99 @@
                         $controller_path .= $segment;
 
-
                         $found = FALSE;
                         foreach ($paths as $dir)
@@ -111 +110 @@
                                         $found = TRUE;
 
-                                        if (is_file($dir.$controller_path.EXT))
+                                        // The controller must be a file that exists with the search path
+                                        if ($c = str_replace('\\', '/', realpath($dir.$controller_path.EXT)) 
+                                            AND is_file($c) AND strpos($c, $dir) === 0)
                                         {
                                                 // Set controller name
@@ -117 +118 @@
 
                                                 // Change controller path
-                                                self::$controller_path = $dir.$controller_path.EXT;
+                                                self::$controller_path = $c;
 
                                                 // Set the method segment