diff options
| author | Björn Schießle <schiessle@owncloud.com> | 2012-09-26 21:35:14 +0200 |
|---|---|---|
| committer | Björn Schießle <schiessle@owncloud.com> | 2012-09-26 21:35:14 +0200 |
| commit | 9ab887fed543a22f8a57e3322eb4ff23834e2f86 (patch) | |
| tree | 285fd86d853a1be88afd15860ef3a87e954d937b /apps/files_external/ajax | |
| parent | a7292e897a70a2f7e79f61396d4888cb694f0860 (diff) | |
| download | nextcloud-server-9ab887fed543a22f8a57e3322eb4ff23834e2f86.tar.gz nextcloud-server-9ab887fed543a22f8a57e3322eb4ff23834e2f86.zip | |
fix security issue, don't allow to go back in the path
Diffstat (limited to 'apps/files_external/ajax')
| -rw-r--r-- | apps/files_external/ajax/removeRootCertificate.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/files_external/ajax/removeRootCertificate.php b/apps/files_external/ajax/removeRootCertificate.php index 9b78e180d9e..f87d4a56308 100644 --- a/apps/files_external/ajax/removeRootCertificate.php +++ b/apps/files_external/ajax/removeRootCertificate.php @@ -5,7 +5,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::callCheck(); $view = \OCP\Files::getStorage("files_external"); -$cert = $_POST['cert']; +$cert = ltrim($_POST['cert'], "/."); $file = \OCP\Config::getSystemValue('datadirectory').$view->getAbsolutePath("").'uploads/'.$cert; unlink($file); OC_Mount_Config::createCertificateBundle(); |