Hi Sergio,
Thank you for reporting this issue. Here is the fix I intend to push
in src/wiki.c. I have tested the solution on my didiwiki installation,
and it seems to be working fine.
----
int page_name_is_good(char* page_name)
{
/* We should give access only to subdirs of didiwiki root.
I guess that check for absense of '/' is enough.
TODO: Use realpath()
*/
if (!page_name)
return FALSE;
if (strncmp(page_name, "/", 1) == 0)
return FALSE;
if (strncmp(page_name, "./", 2) == 0)
return FALSE;
if (strncmp(page_name, "..", 2) == 0)
return FALSE;
if (strstr(page_name, "../"))
return FALSE;
if (strstr(page_name, "/.."))
return FALSE;
return TRUE;
}
----
I will be pushing this solution, , unless you think there is a better
way to solve this.
Cheers,
Ignace M
