From 6ef5edf5eac149e140f58019ceb7a35495195aef Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sat, 18 Aug 2012 09:30:01 +0200
Subject: Use SCRIPT_NAME instead of PHP_SELF which won't send the PATH_INFO,
 this prevents XSS in old browsers. Thanks to Nico Golde.

---
 apps/files/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'apps/files/index.php')

diff --git a/apps/files/index.php b/apps/files/index.php
index e1c4ad7f19b..d65aa6cabb8 100644
--- a/apps/files/index.php
+++ b/apps/files/index.php
@@ -39,7 +39,7 @@ OCP\App::setActiveNavigationEntry( 'files_index' );
 $dir = isset( $_GET['dir'] ) ? stripslashes($_GET['dir']) : '';
 // Redirect if directory does not exist
 if(!OC_Filesystem::is_dir($dir.'/')) {
-	header('Location: '.$_SERVER['PHP_SELF'].'');
+	header('Location: '.$_SERVER['SCRIPT_NAME'].'');
 	exit();
 }
 
-- 
cgit v1.2.3