Slight improvements to file security (scan for more bad characters)

diff --git a/lib/weblib.php b/lib/weblib.php
index 19dcab0ba32bb2100b8bd1b6438247093b8eb0fc..5c9b8c40811214c6564b17a77dea848e3b6bc223 100644 (file)
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -358,7 +358,13 @@ function get_slash_arguments($i=0) {
         return false;
     }
 
-    if (strpos($PATH_INFO, "..")) {  // check for funny business
+    if (strpos($PATH_INFO, "..")) { // check for parent URLs
+        return false;
+    }
+    if (strpos($PATH_INFO, "|")) {  // check for pipes
+        return false;
+    }
+    if (strpos($PATH_INFO, "`")) {  // check for backquotes
         return false;
     }
 

diff --git a/user/pix.php b/user/pix.php
index d81853d004002b28829f6c92f77fcc74c5248edc..9a07f13b47a622f26c2cf83a7250dc4211dc4f86 100644 (file)
--- a/user/pix.php
+++ b/user/pix.php
@@ -30,14 +30,16 @@
 
     $lastmodified = filemtime($pathname);
 
-    header("Last-Modified: " . gmdate("D, d M Y H:i:s", $lastmodified) . " GMT");
-    header("Expires: " . gmdate("D, d M Y H:i:s", time() + $lifetime) . " GMT");
-    header("Cache-control: max_age = $lifetime"); // a day
-    header("Pragma: ");
-    header("Content-disposition: inline; filename=$image");
-    header("Content-length: ".filesize($pathname));
-    header("Content-type: image/jpeg");
-    readfile("$pathname");
+    if (file_exists($pathname)) {
+        header("Last-Modified: " . gmdate("D, d M Y H:i:s", $lastmodified) . " GMT");
+        header("Expires: " . gmdate("D, d M Y H:i:s", time() + $lifetime) . " GMT");
+        header("Cache-control: max_age = $lifetime"); // a day
+        header("Pragma: ");
+        header("Content-disposition: inline; filename=$image");
+        header("Content-length: ".filesize($pathname));
+        header("Content-type: image/jpeg");
+        readfile("$pathname");
+    }
 
     exit;
 ?>