[Mapbender-commits] r4869 - branches/2.4.5/http/print

svn_mapbender at osgeo.org svn_mapbender at osgeo.org
Tue Oct 27 12:45:49 EDT 2009 

Author: christoph
Date: 2009-10-27 12:45:49 -0400 (Tue, 27 Oct 2009)
New Revision: 4869

Modified:
   branches/2.4.5/http/print/mod_printPDF.php
   branches/2.4.5/http/print/mod_printPDF_pdf.php
Log:


Modified: branches/2.4.5/http/print/mod_printPDF.php
===================================================================
--- branches/2.4.5/http/print/mod_printPDF.php	2009-10-27 16:38:18 UTC (rev 4868)
+++ branches/2.4.5/http/print/mod_printPDF.php	2009-10-27 16:45:49 UTC (rev 4869)
@@ -19,6 +19,15 @@
 require_once(dirname(__FILE__)."/../php/mb_validateSession.php");
 require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
 
+$confFile = basename($_REQUEST["conf"]);
+if (!preg_match("/^[a-zA-Z0-9_-]+(\.[a-zA-Z0-9]+)$/", $confFile) || 
+	!file_exists($confFile)) {
+
+	$errorMessage = _mb("Invalid configuration file") . ": " . $_REQUEST["conf"];
+	echo htmlentities($errorMessage, ENT_QUOTES, CHARSET);
+	$e = new mb_exception($errorMessage);
+	die;
+}
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 
@@ -52,7 +61,7 @@
 <?php
 
 
-require_once(dirname(__FILE__)."/../print/".$_REQUEST["conf"]);
+require_once(dirname(__FILE__)."/../print/".$confFile);
 echo "<script type='text/javascript'>";
 echo "var target = '".$_REQUEST["target"]."';";
 echo "var comment = '".$label_comment."';";

Modified: branches/2.4.5/http/print/mod_printPDF_pdf.php
===================================================================
--- branches/2.4.5/http/print/mod_printPDF_pdf.php	2009-10-27 16:38:18 UTC (rev 4868)
+++ branches/2.4.5/http/print/mod_printPDF_pdf.php	2009-10-27 16:45:49 UTC (rev 4869)
@@ -27,7 +27,18 @@
 include (dirname(__FILE__)."/../classes/class_stripRequest.php");
 include (dirname(__FILE__)."/../classes/class_weldMaps2PNG.php");
 include (dirname(__FILE__)."/../classes/class_weldOverview2PNG.php");
-include (dirname(__FILE__)."/../print/".$_REQUEST["conf"]);
+
+$confFile = basename($_REQUEST["conf"]);
+if (!preg_match("/^[a-zA-Z0-9_-]+(\.[a-zA-Z0-9]+)$/", $confFile) || 
+	!file_exists($confFile)) {
+
+	$errorMessage = _mb("Invalid configuration file");
+	echo htmlentities($errorMessage, ENT_QUOTES, CHARSET);
+	$e = new mb_exception($errorMessage);
+	die;
+}
+
+include (dirname(__FILE__)."/../print/".$confFile);
 include (dirname(__FILE__)."/../classes/class_SaveLegend.php");
 include (dirname(__FILE__)."/../print/print_functions.php");

More information about the Mapbender_commits mailing list