diff options
author | bmeeks8 <bmeeks8@bellsouth.net> | 2014-08-27 13:38:41 -0400 |
---|---|---|
committer | bmeeks8 <bmeeks8@bellsouth.net> | 2014-08-27 13:38:41 -0400 |
commit | 0d2f8f00a6a442f5672e5fe8f62a1f4d21da6a9b (patch) | |
tree | e9a4e0a36c876abc50f520903a1a3569c9772bf6 /config/suricata | |
parent | c6c37ebc83e934fbdddae369435d7b92b94adb14 (diff) | |
download | pfsense-packages-0d2f8f00a6a442f5672e5fe8f62a1f4d21da6a9b.tar.gz pfsense-packages-0d2f8f00a6a442f5672e5fe8f62a1f4d21da6a9b.tar.bz2 pfsense-packages-0d2f8f00a6a442f5672e5fe8f62a1f4d21da6a9b.zip |
Improve security handling provided filename values.
Diffstat (limited to 'config/suricata')
-rw-r--r-- | config/suricata/suricata_sid_mgmt.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/config/suricata/suricata_sid_mgmt.php b/config/suricata/suricata_sid_mgmt.php index 07a09178..c69a9fcd 100644 --- a/config/suricata/suricata_sid_mgmt.php +++ b/config/suricata/suricata_sid_mgmt.php @@ -96,7 +96,7 @@ function suricata_is_sidmodslist_active($sidlist) { if (isset($_POST['upload'])) { if ($_FILES["sidmods_fileup"]["error"] == UPLOAD_ERR_OK) { $tmp_name = $_FILES["sidmods_fileup"]["tmp_name"]; - $name = $_FILES["sidmods_fileup"]["name"]; + $name = basename($_FILES["sidmods_fileup"]["name"]); move_uploaded_file($tmp_name, "{$sidmods_path}{$name}"); } else @@ -104,8 +104,8 @@ if (isset($_POST['upload'])) { } if (isset($_POST['sidlist_delete']) && isset($_POST['sidlist_fname'])) { - if (!suricata_is_sidmodslist_active($_POST['sidlist_fname'])) - unlink_if_exists("{$sidmods_path}{$_POST['sidlist_fname']}"); + if (!suricata_is_sidmodslist_active(basename($_POST['sidlist_fname']))) + unlink_if_exists($sidmods_path . basename($_POST['sidlist_fname'])); else $input_errors[] = gettext("This SID Mods List is currently assigned to an interface and cannot be deleted."); } |