security: whitelist legal chars

author: Urban Müller 2015-11-18 15:39:20 +0100
committer: Urban Müller 2015-11-18 15:41:13 +0100
commit: b52db895457e3b2470409a892e0de944e23ea4be (patch)
tree: ee664e4c82481132acf56bf1f2f6627c0061f075 /itjs.class
parent: 791239bfb548b7524c309e7c6c522165875ae4ea (diff)
download: itools-b52db895457e3b2470409a892e0de944e23ea4be.tar.gz
itools-b52db895457e3b2470409a892e0de944e23ea4be.tar.bz2
itools-b52db895457e3b2470409a892e0de944e23ea4be.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/itjs.class b/itjs.class
index c54abd3..8e79fad 100644
--- a/itjs.class
+++ b/itjs.class
@@ -134,9 +134,12 @@ static function filenames($filelist)
 		"PIE.htc" => "$libsearch/doc/PIE.htc",
 	);
 
-	foreach (array_filter(explode(",", basename($filelist))) as $file)
+	if (it::match("[^-\w.=?&,]", basename($filelist)))
+		it::error("bad filelist $filelist");
+
+	foreach (it::match("[-\w.=?&]+", basename($filelist), array('all' => true)) as $file)
 	{
-		$filenames = $special[$file] ?: (file_exists("$path/" . it::replace(array('[\?\x00].*' => ""), $file)) ? "$path/$file" : "$libsearch/itjs/$file");
+		$filenames = $special[$file] ?: (file_exists("$path/$file") ? "$path/$file" : "$libsearch/itjs/$file");
 
 		foreach (explode(",", $filenames) as $filename)
 			if (!$seen[$filename]++)
author	Urban Müller	2015-11-18 15:39:20 +0100
committer	Urban Müller	2015-11-18 15:41:13 +0100
commit	b52db895457e3b2470409a892e0de944e23ea4be (patch)
tree	ee664e4c82481132acf56bf1f2f6627c0061f075 /itjs.class
parent	791239bfb548b7524c309e7c6c522165875ae4ea (diff)
download	itools-b52db895457e3b2470409a892e0de944e23ea4be.tar.gz itools-b52db895457e3b2470409a892e0de944e23ea4be.tar.bz2 itools-b52db895457e3b2470409a892e0de944e23ea4be.zip