From c09edabb973b62018063f80f3fe27ba67c58ec84 Mon Sep 17 00:00:00 2001
From: Danny Terweij <d.terweij@lxcenter.org>
Date: Sat, 22 Mar 2014 01:32:55 +0100
Subject: [PATCH] Secure docroot input field.

---
 kloxo/httpdocs/lib/domain/domainlib.php  | 6 ++++++
 kloxo/httpdocs/lib/domain/web/weblib.php | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/kloxo/httpdocs/lib/domain/domainlib.php b/kloxo/httpdocs/lib/domain/domainlib.php
index f3495604be..aa14df2140 100755
--- a/kloxo/httpdocs/lib/domain/domainlib.php
+++ b/kloxo/httpdocs/lib/domain/domainlib.php
@@ -621,6 +621,9 @@ function postAdd()
 	if(preg_match("/\.\.\//", $web-docroot)){
 	throw new lxexception("folder_name_may_not_contain_doubledotsslash","");
 	}
+	if(preg_match("/.*({|}|%|\"|$|'|`).*/", $web-docroot)){
+		throw new lxexception("folder_name_may_not_contain_bad_characters","");
+	}
 
 	$this->docroot = coreFfile::getRealpath($this->docroot);
 
@@ -648,6 +651,9 @@ function postAdd()
     if(preg_match("/\.\.\//", $web-docroot)){
     	throw new lxexception("folder_name_may_not_contain_doubledotsslash","");
     }
+	if(preg_match("/.*({|}|%|\"|$|'|`).*/", $web-docroot)){
+		throw new lxexception("folder_name_may_not_contain_bad_characters","");
+	}
 
     ///#656 When adding a subdomain, the Document Root field is not being validated
     if (csa($web->docroot, " /")) {
diff --git a/kloxo/httpdocs/lib/domain/web/weblib.php b/kloxo/httpdocs/lib/domain/web/weblib.php
index 0b6961405a..4b795dcd8b 100644
--- a/kloxo/httpdocs/lib/domain/web/weblib.php
+++ b/kloxo/httpdocs/lib/domain/web/weblib.php
@@ -1211,6 +1211,9 @@ function updateform($subaction, $param)
 				if(preg_match("/\.\.\//", $param['docroot'])) {
 					throw new lxexception("folder_name_may_not_contain_doubledotsslash", "");
 				}
+			if(preg_match("/.*({|}|%|\"|$|'|`).*/", $web-docroot)){
+				throw new lxexception("folder_name_may_not_contain_bad_characters","");
+			}
 			return $vlist;
 
 		case "blockip":