Fixed: FS#2157 - Add new Webdav user" can chmod and chown entire server from client interface

217b8d78 · tbrehm · 8c080c6d · 217b8d78 · 217b8d78
Commit 217b8d78 authored Apr 04, 2012 by tbrehm
Showing with 5 additions and 1 deletion

interface/web/sites/lib/lang/en_webdav_user.lng interface/web/sites/lib/lang/en_webdav_user.lng +2 -0

interface/web/sites/webdav_user_edit.php interface/web/sites/webdav_user_edit.php +3 -1

No files found.
--- a/interface/web/sites/lib/lang/en_webdav_user.lng
+++ b/interface/web/sites/lib/lang/en_webdav_user.lng
@@ -13,4 +13,6 @@ $wb["username_error_regex"] = 'The username contains charachters that are not al
 $wb["directory_error_empty"] = 'Directory empty.';
 $wb["parent_domain_id_error_empty"] = 'No website selected.';
 $wb['password_strength_txt'] = 'Password strength';
+$wb['dir_dot_error'] = 'No .. in path allowed.';
+$wb['dir_slashdot_error'] = 'No ./ in path allowed.';
 ?>
--- a/interface/web/sites/webdav_user_edit.php
+++ b/interface/web/sites/webdav_user_edit.php
@@ -114,7 +114,9 @@ class page_action extends tform_actions {
 		 */
 		if(isset($this->dataRecord['username']) && trim($this->dataRecord['username']) == '') $app->tform->errorMessage .= $app->tform->lng('username_error_empty').'<br />';
 		if(isset($this->dataRecord['username']) && empty($this->dataRecord['parent_domain_id'])) $app->tform->errorMessage .= $app->tform->lng('parent_domain_id_error_empty').'<br />';
+		if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'..')) $app->tform->errorMessage .= $app->tform->lng('dir_dot_error').'<br />';
+		if(isset($this->dataRecord['dir']) && stristr($this->dataRecord['dir'],'./')) $app->tform->errorMessage .= $app->tform->lng('dir_slashdot_error').'<br />';
 		parent::onSubmit();
 	}