From c986c094762318f93e30e1f17d8bb87e277f8dc8 Mon Sep 17 00:00:00 2001
From: Koni Weber
Date: Mon, 10 Feb 2020 15:20:10 +0100
Subject: make sure we don't try to include whole directories (from unsafe
 input like "?.js")

---
 itjs.class | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/itjs.class b/itjs.class
index 44e2879..702051d 100644
--- a/itjs.class
+++ b/itjs.class
@@ -119,7 +119,7 @@ static function filenames($filelist)
 		$filenames = $special[$file] ?: (file_exists("$local/" . it::match('^[^?]*', $file)) ? "$local/$file" : "$libsearch/itjs/$file");
 
 		foreach (explode(",", $filenames) as $filename)
-			if (!$seen[$filename]++ && file_exists(it::match('^[^?]*', $filename)))
+			if (!$seen[$filename]++ && file_exists(($fn = it::match('^[^?]*', $filename))) && is_file($fn))
 				$result[] = $filename;
 	}
 
-- 
cgit v1.2.3