From 82ff67d50a245c09f9c7c49b2c50f17b7dc06679 Mon Sep 17 00:00:00 2001
From: Urban Müller
Date: Tue, 19 Jun 2018 18:18:27 +0200
Subject: safe variants of php file funcs

---
 it.class | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

(limited to 'it.class')

diff --git a/it.class b/it.class
index c601c9c..247b50f 100644
--- a/it.class
+++ b/it.class
@@ -1070,7 +1070,7 @@ static function add_dir($path)
  */
 static function file_get($filename, $p = array())
 {
-	if (($data = file_get_contents($filename == "-" ? "php://stdin" : $filename)) !== false)
+	if (($data = it::file_get_contents($filename == "-" ? "php://stdin" : $filename)) !== false)
 	{
 		if ($p['keyval'])
 		{
@@ -1099,6 +1099,8 @@ static function file_get($filename, $p = array())
  */
 static function file_put($filename, $data, $p = array())
 {
+	$filename = it::safe_filename($filename);
+
 	if ($p['keyval'])
 		$data = join("", it::map('"$k\t$v\n"', $data));
 	else if ($p['lines'])
@@ -1168,4 +1170,37 @@ static function mod($a, $n)
 	return (($a % $n) + $n) % $n;
 }
 
+static function safe_filename($filename)
+{
+	if (it::match("\./", $filename))
+		it::error(['to' => "mueller", 'title' => "fishy filename $filename"]);
+
+	return $filename;
+}
+
+static function file_get_contents($filename, $use_include_path = false, $context = null, $offset = 0)
+{
+	return file_get_contents(it::safe_filename($filename), $use_include_path, $context, $offset);
+}
+
+static function file_put_contents($filename, $data, $flags = 0, $resource = null)
+{
+	return file_put_contents(it::safe_filename($filename), $data, $flags, $resource);
+}
+
+static function fopen($filename, $mode, $use_include_path = false, $context = null)
+{
+	return fopen(it::safe_filename($filename), $mode, $use_include_path, $context);
+}
+
+static function file($filename, $flags = 0, $context = null)
+{
+	return file(it::safe_filename($filename), $flags, $context);
+}
+
+static function readfile($filename, $use_include_path = false, $context = null)
+{
+	return readfile(it::safe_filename($filename), $use_include_path, $context);
+}
+
 }
-- 
cgit v1.2.3