[Mapbender-commits] r10088 - trunk/mapbender/http/extensions

[svn_mapbender at osgeo.org]

Author: armin11
Date: 2019-03-25 05:09:31 -0700 (Mon, 25 Mar 2019)
New Revision: 10088

Modified:
   trunk/mapbender/http/extensions/ext_featureInfoTunnel.php
Log:
Fix for filesystem exploit

Modified: trunk/mapbender/http/extensions/ext_featureInfoTunnel.php
===================================================================
--- trunk/mapbender/http/extensions/ext_featureInfoTunnel.php	2019-03-22 08:09:42 UTC (rev 10087)
+++ trunk/mapbender/http/extensions/ext_featureInfoTunnel.php	2019-03-25 12:09:31 UTC (rev 10088)
@@ -25,7 +25,10 @@
 else {
 	$mr = new stripRequest($_POST["url"]);
 }
-
+if (strpos($mr, "file://")!== false) {
+	echo "Local files are not allowed!";
+	die();
+}
 $nmr = $mr->encodeGET();
 $isOwsproxyRequest = (mb_strpos($nmr,OWSPROXY) === 0);
 if($isOwsproxyRequest){