NO ONE should be able to upload dot-files

author nohn <nohn>

Mon, 9 May 2005 08:33:50 +0000 (08:33 +0000)

committer nohn <nohn>

Mon, 9 May 2005 08:33:50 +0000 (08:33 +0000)
author nohn <nohn>
Mon, 9 May 2005 08:33:50 +0000 (08:33 +0000)
committer nohn <nohn>
Mon, 9 May 2005 08:33:50 +0000 (08:33 +0000)
diff --git a/include/admin/images.inc.php b/include/admin/images.inc.php

index fdedb81de1d84e78dac34adccfd8969a95377daf..b2a3c6cca1da253766a7cfa8e7ba11e40fc3790a 100644 (file)
--- a/include/admin/images.inc.php
+++ b/include/admin/images.inc.php
@@ -125,7 +125,7 @@ switch ($serendipity['GET']['adminAction']) {
              $tindex  = 1;
          }
  
-        if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && (preg_match('@\.(php[34]?|[ps]html?)$@i', $tfile) || preg_match('@^\.@', $tfile)) {
+        if (preg_match('@^\.@', $tfile) || ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && (preg_match('@\.(php[34]?|[ps]html?)$@i', $tfile)))) {
              printf(ERROR_FILE_FORBIDDEN, $tfile);
              break;
          }
@@ -188,7 +188,7 @@ switch ($serendipity['GET']['adminAction']) {
                  continue;
              }
              
-            if ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && preg_match('@\.(php[34]?|[ps]html?)$@i', $tfile)) {
+           if (preg_match('@^\.@', $tfile) || ($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && (preg_match('@\.(php[34]?|[ps]html?)$@i', $tfile)))) {
                  printf(ERROR_FILE_FORBIDDEN, $tfile);
                  echo '<br />';
                  continue;
author	nohn <nohn>
	Mon, 9 May 2005 08:33:50 +0000 (08:33 +0000)
committer	nohn <nohn>
	Mon, 9 May 2005 08:33:50 +0000 (08:33 +0000)