MSD-4 Implement whitelist check for langId parameter passed to flag.php
Dieser Commit ist enthalten in:
Ursprung
9246cc9533
Commit
3ec58d6bc3
1 geänderte Dateien mit 10 neuen und 13 gelöschten Zeilen
|
@ -1,16 +1,13 @@
|
|||
<?php
|
||||
//TODO security -> implement whitelist of characters for langId
|
||||
$country = str_replace(
|
||||
array('..', "\x00"),
|
||||
'',
|
||||
$_GET['langId']
|
||||
);
|
||||
|
||||
$languageDir = realpath(dirname(__FILE__) . '/../application/language');
|
||||
|
||||
header('Content-Type: image/gif');
|
||||
$country = $_GET['langId'];
|
||||
|
||||
if (preg_match('/^[A-Z0-9_]+\z/i', $country)) {
|
||||
define('DS', DIRECTORY_SEPARATOR);
|
||||
$languageDir = realpath(dirname(__FILE__) . '/../application/language');
|
||||
$image = $languageDir . DS . $country . DS . 'flag.gif';
|
||||
|
||||
if (file_exists($image)) {
|
||||
header('Content-Type: image/gif');
|
||||
readfile(realpath($image));
|
||||
}
|
||||
}
|
Laden …
In neuem Issue referenzieren