[Mapbender-commits] r4330 - trunk/mapbender/http/print

[svn_mapbender at osgeo.org]

Author: christoph
Date: 2009-07-10 07:48:58 -0400 (Fri, 10 Jul 2009)
New Revision: 4330

Modified:
   trunk/mapbender/http/print/mod_printPDF.php
   trunk/mapbender/http/print/mod_printPDF_pdf.php
Log:
security update

Modified: trunk/mapbender/http/print/mod_printPDF.php
===================================================================
--- trunk/mapbender/http/print/mod_printPDF.php	2009-07-09 13:11:57 UTC (rev 4329)
+++ trunk/mapbender/http/print/mod_printPDF.php	2009-07-10 11:48:58 UTC (rev 4330)
@@ -17,11 +17,17 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-if (!preg_match("/^[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)$/", $_REQUEST["conf"])) {
+require_once(dirname(__FILE__)."/../../core/globalSettings.php");
+
+$confFile = basename($_REQUEST["conf"]);
+if (!preg_match("/^[a-zA-Z0-9_-]+(\.[a-zA-Z0-9]+)$/", $confFile) || 
+	!file_exists($confFile)) {
+
+	$errorMessage = _mb("Invalid configuration file") . ": " . $_REQUEST["conf"];
+	echo htmlentities($errorMessage, ENT_QUOTES, CHARSET);
+	$e = new mb_exception($errorMessage);
 	die;
 }
-
-require_once(dirname(__FILE__)."/../../core/globalSettings.php");
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 
@@ -38,7 +44,7 @@
 	//FIXME:
 	//setlocale(LC_ALL, "de_DE.utf8");
 
-	require_once(dirname(__FILE__)."/../print/".$_REQUEST["conf"]);
+	require_once(dirname(__FILE__)."/../print/" . $confFile);
 
 	printf("
 	<script type=\"text/javascript\">

Modified: trunk/mapbender/http/print/mod_printPDF_pdf.php
===================================================================
--- trunk/mapbender/http/print/mod_printPDF_pdf.php	2009-07-09 13:11:57 UTC (rev 4329)
+++ trunk/mapbender/http/print/mod_printPDF_pdf.php	2009-07-10 11:48:58 UTC (rev 4330)
@@ -23,7 +23,18 @@
 include (dirname(__FILE__)."/../classes/class_stripRequest.php");
 include (dirname(__FILE__)."/../classes/class_weldMaps2PNG.php");
 include (dirname(__FILE__)."/../classes/class_weldOverview2PNG.php");
-include (dirname(__FILE__)."/../print/".$_REQUEST["conf"]);
+
+$confFile = basename($_REQUEST["conf"]);
+if (!preg_match("/^[a-zA-Z0-9_-]+(\.[a-zA-Z0-9]+)$/", $confFile) || 
+	!file_exists($confFile)) {
+
+	$errorMessage = _mb("Invalid configuration file") . ": " . $_REQUEST["conf"];
+	echo htmlentities($errorMessage, ENT_QUOTES, CHARSET);
+	$e = new mb_exception($errorMessage);
+	die;
+}
+
+include (dirname(__FILE__)."/../print/".$confFile);
 include (dirname(__FILE__)."/../classes/class_SaveLegend.php");
 include (dirname(__FILE__)."/../print/print_functions.php");