make sure we don't try to include whole directories (from unsafe input like "?.js")

author: Koni Weber 2020-02-10 15:20:10 +0100
committer: Koni Weber 2020-02-10 15:20:10 +0100
commit: c986c094762318f93e30e1f17d8bb87e277f8dc8 (patch)
tree: 302581b8a84ec26a4caf94776d37d419064afd8e /itjs.class
parent: 82f082743cd53398957310498596f37d8d5f5aac (diff)
download: itools-c986c094762318f93e30e1f17d8bb87e277f8dc8.tar.gz
itools-c986c094762318f93e30e1f17d8bb87e277f8dc8.tar.bz2
itools-c986c094762318f93e30e1f17d8bb87e277f8dc8.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/itjs.class b/itjs.class
index 44e2879..702051d 100644
--- a/itjs.class
+++ b/itjs.class
@@ -119,7 +119,7 @@ static function filenames($filelist)
 		$filenames = $special[$file] ?: (file_exists("$local/" . it::match('^[^?]*', $file)) ? "$local/$file" : "$libsearch/itjs/$file");
 
 		foreach (explode(",", $filenames) as $filename)
-			if (!$seen[$filename]++ && file_exists(it::match('^[^?]*', $filename)))
+			if (!$seen[$filename]++ && file_exists(($fn = it::match('^[^?]*', $filename))) && is_file($fn))
 				$result[] = $filename;
 	}
author	Koni Weber	2020-02-10 15:20:10 +0100
committer	Koni Weber	2020-02-10 15:20:10 +0100
commit	c986c094762318f93e30e1f17d8bb87e277f8dc8 (patch)
tree	302581b8a84ec26a4caf94776d37d419064afd8e /itjs.class
parent	82f082743cd53398957310498596f37d8d5f5aac (diff)
download	itools-c986c094762318f93e30e1f17d8bb87e277f8dc8.tar.gz itools-c986c094762318f93e30e1f17d8bb87e277f8dc8.tar.bz2 itools-c986c094762318f93e30e1f17d8bb87e277f8dc8.zip