Secure docroot input field.

lxcenter · Mar 22, 2014 · c09edab · c09edab
1 parent c1263a2
commit c09edab
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/kloxo/httpdocs/lib/domain/domainlib.php b/kloxo/httpdocs/lib/domain/domainlib.php
@@ -621,6 +621,9 @@ function postAdd()
 	if(preg_match("/\.\.\//", $web-docroot)){
 	throw new lxexception("folder_name_may_not_contain_doubledotsslash","");
 	}
+	if(preg_match("/.*({|}|%|\"|$|'|`).*/", $web-docroot)){
+		throw new lxexception("folder_name_may_not_contain_bad_characters","");
+	}
 
 	$this->docroot = coreFfile::getRealpath($this->docroot);
 
@@ -648,6 +651,9 @@ function postAdd()
     if(preg_match("/\.\.\//", $web-docroot)){
     	throw new lxexception("folder_name_may_not_contain_doubledotsslash","");
     }
+	if(preg_match("/.*({|}|%|\"|$|'|`).*/", $web-docroot)){
+		throw new lxexception("folder_name_may_not_contain_bad_characters","");
+	}
 
     ///#656 When adding a subdomain, the Document Root field is not being validated
     if (csa($web->docroot, " /")) {

diff --git a/kloxo/httpdocs/lib/domain/web/weblib.php b/kloxo/httpdocs/lib/domain/web/weblib.php
@@ -1211,6 +1211,9 @@ function updateform($subaction, $param)
 				if(preg_match("/\.\.\//", $param['docroot'])) {
 					throw new lxexception("folder_name_may_not_contain_doubledotsslash", "");
 				}
+			if(preg_match("/.*({|}|%|\"|$|'|`).*/", $web-docroot)){
+				throw new lxexception("folder_name_may_not_contain_bad_characters","");
+			}
 			return $vlist;
 
 		case "blockip":