[Nagvis-checkins] SF.net Git: nagvis: #94 Additional fix for file inclusion problem ( getHoverUrl in ajax request handler)

Thu, 03 Sep 2009 00:36:47 -0700 

Module: nagvis
Branch: nagvis-1.4
Commit: ee550de5969ab16240e234b7b4c748c9d862eae1
URL:    
http://nagvis.git.sourceforge.net/git/gitweb.cgi?p=nagvis/nagvis/nagvis;a=commit;h=ee550de5969ab16240e234b7b4c748c9d862eae1

Author: Lars Michelsen <[email protected]>
Date:   Thu Sep  3 09:34:44 2009 +0200

#94 Additional fix for file inclusion problem (getHoverUrl in ajax request 
handler)

---

 nagvis/nagvis/includes/classes/NagVisHoverUrl.php |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/nagvis/nagvis/includes/classes/NagVisHoverUrl.php 
b/nagvis/nagvis/includes/classes/NagVisHoverUrl.php
index b23447e..e4e91c5 100644
--- a/nagvis/nagvis/includes/classes/NagVisHoverUrl.php
+++ b/nagvis/nagvis/includes/classes/NagVisHoverUrl.php
@@ -80,6 +80,15 @@ class NagVisHoverUrl {
                * $context = stream_context_create($http_opts);
                * $content = 
file_get_contents($obj['hover_url'],FALSE,$context);
                */
+               
+               // Only allow urls not paths for security reasons
+               // Reported here: 
http://news.gmane.org/find-root.php?message_id=%3cf60c42280909021938s7f36c0edhd66d3e9156a5d081%40mail.gmail.com%3e
+               $aUrl = parse_url($this->url);
+               if(!isset($aUrl['scheme']) || $aUrl['scheme'] == '') {
+                       echo new GlobalFrontendMessageBox('ERROR', 
$this->CORE->LANG->getText('problemReadingUrl', 'URL~'.$this->url.',MSG~Not 
allowed url'), $this->CORE->MAINCFG->getValue('paths','htmlbase'), 'error');
+                       exit(1);
+               }
+
     
                if(!$content = file_get_contents($this->url)) {
                        new GlobalFrontendMessage('WARNING', 
$this->CORE->LANG->getText('couldNotGetHoverUrl', 'URL~'.$this->url));


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Nagvis-checkins mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nagvis-checkins

Reply via email to