prevent directory traversal

This commit is contained in:
frederik
2024-03-17 11:42:02 +01:00
parent ff58215ebe
commit ec134fa2e3
+4
View File
@@ -15,6 +15,10 @@ $db->busyTimeout(1000);
if(isset($_GET['deletefile'])) {
ensure_authenticated('You must be authenticated to delete files.');
if (preg_match('~^.*(\.\.\/).+$~', $_GET['deletefile'])) {
echo "Error";
die();
}
$db_writable = new SQLite3('./scripts/birds.db', SQLITE3_OPEN_READWRITE);
$db->busyTimeout(1000);
$statement1 = $db_writable->prepare('DELETE FROM detections WHERE File_Name = :file_name LIMIT 1');