From 217b8d78eef89fea9b3fd8adcea32f66934f898a Mon Sep 17 00:00:00 2001 From: tbrehm Date: Wed, 4 Apr 2012 06:11:26 +0000 Subject: [PATCH] Fixed: FS#2157 - Add new Webdav user" can chmod and chown entire server from client interface --- interface/web/sites/lib/lang/en_webdav_user.lng | 2 ++ interface/web/sites/webdav_user_edit.php | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/interface/web/sites/lib/lang/en_webdav_user.lng b/interface/web/sites/lib/lang/en_webdav_user.lng index 09cf6ff40..3d43cfc5a 100644 --- a/interface/web/sites/lib/lang/en_webdav_user.lng +++ b/interface/web/sites/lib/lang/en_webdav_user.lng @@ -13,4 +13,6 @@ $wb["username_error_regex"] = 'The username contains charachters that are not al $wb["directory_error_empty"] = 'Directory empty.'; $wb["parent_domain_id_error_empty"] = 'No website selected.'; $wb['password_strength_txt'] = 'Password strength'; +$wb['dir_dot_error'] = 'No .. in path allowed.'; +$wb['dir_slashdot_error'] = 'No ./ in path allowed.'; ?> diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php index 5d5a617d8..2d7dc4116 100644 --- a/interface/web/sites/webdav_user_edit.php +++ b/interface/web/sites/webdav_user_edit.php @@ -114,7 +114,9 @@ class page_action extends tform_actions { */ if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'
'; if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'
'; - + if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'
'; + if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'
'; + parent::onSubmit(); } -- GitLab