[Phpgroupware-cvs] CVS: phpgwapi/inc class.vfs_sql.inc.php,1.15.2.6.2.1,1.15.2.6.2.2

[Ralf Becker <address@hidden>]

Update of /cvsroot/phpgroupware/phpgwapi/inc
In directory subversions:/tmp/cvs-serv9441

Modified Files:
      Tag: Version-0_9_16-branch
        class.vfs_sql.inc.php 
Log Message:
test against files-dir within the document-root of the webserver
(this would allow uploads of scripts via vfs, and then execute them via the 
webserver)

Index: class.vfs_sql.inc.php
===================================================================
RCS file: /cvsroot/phpgroupware/phpgwapi/inc/class.vfs_sql.inc.php,v
retrieving revision 1.15.2.6.2.1
retrieving revision 1.15.2.6.2.2
diff -C2 -r1.15.2.6.2.1 -r1.15.2.6.2.2
*** class.vfs_sql.inc.php       27 Mar 2003 00:07:08 -0000      1.15.2.6.2.1
--- class.vfs_sql.inc.php       3 Jul 2003 00:32:58 -0000       1.15.2.6.2.2
***************
*** 82,85 ****
--- 82,97 ----
                        }
        
+                       // test if the files-dir is inside the document-root, 
and refuse working if so
+                       //
+                       if ($this->file_actions && 
(strstr($this->basedir,PHPGW_SERVER_ROOT) || 
strstr($this->basedir,$GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT'])))
+                       {
+                               $GLOBALS['phpgw']->common->phpgw_header();
+                               if 
($GLOBALS['phpgw_info']['flags']['noheader']) 
+                               {
+                                       echo parse_navbar();
+                               }
+                               echo '<p align="center"><font 
color="red"><b>'.lang('Path to user and group files HAS TO BE OUTSIDE of the 
webservers document-root!!!')."</b></font></p>\n";
+                               $GLOBALS['phpgw']->common->phpgw_exit();
+                       }
                        /*
                           These are stored in the MIME-type field and should 
normally be ignored.