Restrict requested app to apps directory

author: Michael Gapczynski <GapczynskiM@gmail.com> 2012-05-29 12:31:47 -0400
committer: Michael Gapczynski <GapczynskiM@gmail.com> 2012-05-29 12:31:47 -0400
commit: fbe58755e58675231feb443b52d2f670b8a78434 (patch)
tree: 0f097c471278070b0ff7f4792970395d0e812745 /lib
parent: d334f33eba3c1b600f077caa8bbaf8bf872e86cc (diff)
download: nextcloud-server-fbe58755e58675231feb443b52d2f670b8a78434.tar.gz
nextcloud-server-fbe58755e58675231feb443b52d2f670b8a78434.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/base.php b/lib/base.php
index cc715afac5d..fdb682bf503 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -437,7 +437,7 @@ class OC{
 		register_shutdown_function(array('OC_Helper','cleanTmp'));
 		
 		//parse the given parameters
-		self::$REQUESTEDAPP = (isset($_GET['app'])?str_replace('\0', '', strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files'));
+		self::$REQUESTEDAPP = (isset($_GET['app'])?str_replace(array('\0', '/', '\\', '..'), '', strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files'));
 		if(substr_count(self::$REQUESTEDAPP, '?') != 0){
 			$app = substr(self::$REQUESTEDAPP, 0, strpos(self::$REQUESTEDAPP, '?'));
 			$param = substr(self::$REQUESTEDAPP, strpos(self::$REQUESTEDAPP, '?') + 1);
author	Michael Gapczynski <GapczynskiM@gmail.com>	2012-05-29 12:31:47 -0400
committer	Michael Gapczynski <GapczynskiM@gmail.com>	2012-05-29 12:31:47 -0400
commit	fbe58755e58675231feb443b52d2f670b8a78434 (patch)
tree	0f097c471278070b0ff7f4792970395d0e812745 /lib
parent	d334f33eba3c1b600f077caa8bbaf8bf872e86cc (diff)
download	nextcloud-server-fbe58755e58675231feb443b52d2f670b8a78434.tar.gz nextcloud-server-fbe58755e58675231feb443b52d2f670b8a78434.zip