1
0
Fork 0

MSD-4 Implement whitelist check for langId parameter passed to flag.php

Dieser Commit ist enthalten in:
JanRei 2011-07-03 16:27:27 +00:00
Ursprung 9246cc9533
Commit 3ec58d6bc3

Datei anzeigen

@ -1,16 +1,13 @@
<?php
//TODO security -> implement whitelist of characters for langId
$country = str_replace(
array('..', "\x00"),
'',
$_GET['langId']
);
$languageDir = realpath(dirname(__FILE__) . '/../application/language');
header('Content-Type: image/gif');
$country = $_GET['langId'];
if (preg_match('/^[A-Z0-9_]+\z/i', $country)) {
define('DS', DIRECTORY_SEPARATOR);
$languageDir = realpath(dirname(__FILE__) . '/../application/language');
$image = $languageDir . DS . $country . DS . 'flag.gif';
if (file_exists($image)) {
header('Content-Type: image/gif');
readfile(realpath($image));
}
}