Skip to content

Commit 708cf80

Browse files
eldyeldy
authored
Merge pull request #92 from Hystepik/fix-path-traversal
Fix path traversal with $_SERVER["CONTEXT_DOCUMENT_ROOT"] variable security issue GHSA-hxxw-4hcg-43rp
2 parents 303ae05 + 6a478e3 commit 708cf80

File tree

154 files changed

+154
-154
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

154 files changed

+154
-154
lines changed

htdocs/alumni/admin/about.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626
$res = 0;
2727
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
2828
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) {
29-
$res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
29+
$res = @include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
3030
}
3131
// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME
3232
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;

htdocs/alumni/admin/setup.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626
$res = 0;
2727
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
2828
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) {
29-
$res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
29+
$res = @include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
3030
}
3131
// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME
3232
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;

htdocs/alumni/admin/survey_extrafields.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030
$res = 0;
3131
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
3232
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) {
33-
$res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
33+
$res = @include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
3434
}
3535
// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME
3636
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;

htdocs/alumni/alumniindex.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
$res = 0;
2929
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
3030
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) {
31-
$res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
31+
$res = @include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
3232
}
3333
// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME
3434
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;

htdocs/alumni/survey_agenda.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@
4545
$res = 0;
4646
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
4747
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) {
48-
$res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
48+
$res = @include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
4949
}
5050
// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME
5151
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;

htdocs/alumni/survey_card.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@
4949
$res = 0;
5050
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
5151
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) {
52-
$res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
52+
$res = @include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
5353
}
5454
// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME
5555
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;

htdocs/alumni/survey_document.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@
4747
$res = 0;
4848
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
4949
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) {
50-
$res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
50+
$res = @include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
5151
}
5252
// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME
5353
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;

htdocs/alumni/survey_list.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@
4848
$res = 0;
4949
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
5050
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) {
51-
$res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
51+
$res = @include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
5252
}
5353
// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME
5454
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;

htdocs/alumni/survey_note.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@
4848
$res = 0;
4949
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
5050
if (!$res && !empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) {
51-
$res = @include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
51+
$res = @include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
5252
}
5353
// Try main.inc.php into web root detected using web root calculated from SCRIPT_FILENAME
5454
$tmp = empty($_SERVER['SCRIPT_FILENAME']) ? '' : $_SERVER['SCRIPT_FILENAME']; $tmp2 = realpath(__FILE__); $i = strlen($tmp) - 1; $j = strlen($tmp2) - 1;

htdocs/awstats/admin/about.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
// Load Dolibarr environment
2626
$res=0;
2727
// Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined)
28-
if (! $res && ! empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) $res=@include $_SERVER["CONTEXT_DOCUMENT_ROOT"]."/main.inc.php";
28+
if (! $res && ! empty($_SERVER["CONTEXT_DOCUMENT_ROOT"])) $res=@include str_replace("..", "", $_SERVER["CONTEXT_DOCUMENT_ROOT"])."/main.inc.php";
2929
// Try main.inc.php into web root detected using web root caluclated from SCRIPT_FILENAME
3030
$tmp=empty($_SERVER['SCRIPT_FILENAME'])?'':$_SERVER['SCRIPT_FILENAME'];$tmp2=realpath(__FILE__); $i=strlen($tmp)-1; $j=strlen($tmp2)-1;
3131
while ($i > 0 && $j > 0 && isset($tmp[$i]) && isset($tmp2[$j]) && $tmp[$i]==$tmp2[$j]) { $i--; $j--; }

0 commit comments

Comments
 (0)