[Mapbender-commits] r4424 - branches/2.5/http/print

[svn_mapbender at osgeo.org]

Author: christoph
Date: 2009-07-28 08:40:39 -0400 (Tue, 28 Jul 2009)
New Revision: 4424

Modified:
   branches/2.5/http/print/mod_printPDF.php
   branches/2.5/http/print/mod_printPDF_pdf.php
Log:


Modified: branches/2.5/http/print/mod_printPDF.php
===================================================================
--- branches/2.5/http/print/mod_printPDF.php	2009-07-27 12:28:06 UTC (rev 4423)
+++ branches/2.5/http/print/mod_printPDF.php	2009-07-28 12:40:39 UTC (rev 4424)
@@ -18,6 +18,16 @@
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 require_once(dirname(__FILE__)."/../../core/globalSettings.php");
+
+$confFile = basename($_REQUEST["conf"]);
+if (!preg_match("/^[a-zA-Z0-9_-]+(\.[a-zA-Z0-9]+)$/", $confFile) || 
+	!file_exists($confFile)) {
+
+	$errorMessage = _mb("Invalid configuration file") . ": " . $_REQUEST["conf"];
+	echo htmlentities($errorMessage, ENT_QUOTES, CHARSET);
+	$e = new mb_exception($errorMessage);
+	die;
+}
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 
@@ -34,7 +44,7 @@
 	//FIXME:
 	//setlocale(LC_ALL, "de_DE.utf8");
 
-	require_once(dirname(__FILE__)."/../print/".$_REQUEST["conf"]);
+	require_once(dirname(__FILE__)."/../print/" . $confFile);
 
 	printf("
 	<script type=\"text/javascript\">

Modified: branches/2.5/http/print/mod_printPDF_pdf.php
===================================================================
--- branches/2.5/http/print/mod_printPDF_pdf.php	2009-07-27 12:28:06 UTC (rev 4423)
+++ branches/2.5/http/print/mod_printPDF_pdf.php	2009-07-28 12:40:39 UTC (rev 4424)
@@ -23,7 +23,18 @@
 include (dirname(__FILE__)."/../classes/class_stripRequest.php");
 include (dirname(__FILE__)."/../classes/class_weldMaps2PNG.php");
 include (dirname(__FILE__)."/../classes/class_weldOverview2PNG.php");
-include (dirname(__FILE__)."/../print/".$_REQUEST["conf"]);
+
+$confFile = basename($_REQUEST["conf"]);
+if (!preg_match("/^[a-zA-Z0-9_-]+(\.[a-zA-Z0-9]+)$/", $confFile) || 
+	!file_exists($confFile)) {
+
+	$errorMessage = _mb("Invalid configuration file") . ": " . $_REQUEST["conf"];
+	echo htmlentities($errorMessage, ENT_QUOTES, CHARSET);
+	$e = new mb_exception($errorMessage);
+	die;
+}
+include (dirname(__FILE__)."/../print/".$confFile);
+
 include (dirname(__FILE__)."/../classes/class_SaveLegend.php");
 include (dirname(__FILE__)."/../print/print_functions.php");