[aur-dev] [PATCH] PKGBUILD syntax highlight
Lukas Fleischer
archlinux at cryptocrack.de
Tue Oct 5 07:41:26 EDT 2010
On Mon, Oct 04, 2010 at 10:51:54PM +0200, PyroPeter wrote:
> >It changes / to %2F so /etc/passwd would result in a broken path.
> >
>
> Assuming that basename does what basename(1) does, it will never
> output a slash. /etc/passwd would yield "passwd".
Yes, there's no need to additionally use urlencode() here. It's just the
wrong function for this purpose. If you want to be absolutely sure that
no one accesses files outside the upload directory, you can additionally
use realpath() after building the path and check if the left part of the
absolute path matches the upload directory, but this shouldn't be
necessary if there are no symlinks or something similar in the
directories referencing files outside.
More information about the aur-dev
mailing list