4784: Added a regex check on the file name, allow only [0-9]+.html format. Also...

author harris wong <hwong@ocad.ca>

Wed, 31 Aug 2011 16:10:02 +0000 (16:10 -0000)

committer harris wong <hwong@ocad.ca>

Wed, 31 Aug 2011 16:10:02 +0000 (16:10 -0000)
author harris wong <hwong@ocad.ca>
Wed, 31 Aug 2011 16:10:02 +0000 (16:10 -0000)
committer harris wong <hwong@ocad.ca>
Wed, 31 Aug 2011 16:10:02 +0000 (16:10 -0000)
diff --git a/docs/get_acheck.php b/docs/get_acheck.php

index 74d0071..c225f6a 100644 (file)
--- a/docs/get_acheck.php
+++ b/docs/get_acheck.php
@@ -27,17 +27,17 @@ $args = substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME']));
  $file = AT_CONTENT_DIR . $args;
  
  //check that this file is within the content directory & exists
+if (preg_match('/^\/[0-9]+\.html$/', $args) === 1) {
+    $real = realpath($file);
+    if (file_exists($real) && substr($real, 0, strlen(AT_CONTENT_DIR)) == AT_CONTENT_DIR) {
+       header('Content-Type: text/html');
+           echo file_get_contents($real);
+           exit;
+       }
+} 
+header('HTTP/1.1 404 Not Found');
+exit;
  
-$real = realpath($file);
  
-if (substr($real, 0, strlen(AT_CONTENT_DIR)) == AT_CONTENT_DIR) {
-       header('Content-Type: text/html');
-       echo file_get_contents($real);
-       exit;
-} else {
-       header('HTTP/1.1 404 Not Found');
-       exit;
-}
  
-
-?>
-\ No newline at end of file
+?>
author	harris wong <hwong@ocad.ca>
	Wed, 31 Aug 2011 16:10:02 +0000 (16:10 -0000)
committer	harris wong <hwong@ocad.ca>
	Wed, 31 Aug 2011 16:10:02 +0000 (16:10 -0000)