[aur-dev] [PATCH] PKGBUILD syntax highlight
This is another approach. Greez.
On Sun, Oct 03, 2010 at 11:37:46AM +0200, Manuel Tortosa wrote:
+$file = URL_DIR . "/". urlencode(basename($_GET['p']))."/".urlencode(basename($_GET['p']))."/PKGBUILD"; + +if (is_file($file)) { + $text = file_get_contents($file); +} else { + $text = ""; +}
This looks much better now :) I don't get the point of using urlencode() here tho.
On 03.10.2010 20:08, Lukas Fleischer wrote:
I don't get the point of using urlencode() here tho.
It changes / to %2F so /etc/passwd would result in a broken path. -- Florian Pritz -- {flo,bluewind}@server-speed.net
On 10/04/2010 04:54 PM, Florian Pritz wrote:
On 03.10.2010 20:08, Lukas Fleischer wrote:
I don't get the point of using urlencode() here tho.
It changes / to %2F so /etc/passwd would result in a broken path.
Assuming that basename does what basename(1) does, it will never output a slash. /etc/passwd would yield "passwd". Regards, PyroPeter -- freenode/pyropeter "12:50 - Ich drücke Return."
On Mon, Oct 04, 2010 at 10:51:54PM +0200, PyroPeter wrote:
It changes / to %2F so /etc/passwd would result in a broken path.
Assuming that basename does what basename(1) does, it will never output a slash. /etc/passwd would yield "passwd".
Yes, there's no need to additionally use urlencode() here. It's just the wrong function for this purpose. If you want to be absolutely sure that no one accesses files outside the upload directory, you can additionally use realpath() after building the path and check if the left part of the absolute path matches the upload directory, but this shouldn't be necessary if there are no symlinks or something similar in the directories referencing files outside.
participants (4)
-
Florian Pritz
-
Lukas Fleischer
-
Manuel Tortosa
-
PyroPeter