prevent directory traversal
This commit is contained in:
@@ -15,6 +15,10 @@ $db->busyTimeout(1000);
|
||||
|
||||
if(isset($_GET['deletefile'])) {
|
||||
ensure_authenticated('You must be authenticated to delete files.');
|
||||
if (preg_match('~^.*(\.\.\/).+$~', $_GET['deletefile'])) {
|
||||
echo "Error";
|
||||
die();
|
||||
}
|
||||
$db_writable = new SQLite3('./scripts/birds.db', SQLITE3_OPEN_READWRITE);
|
||||
$db->busyTimeout(1000);
|
||||
$statement1 = $db_writable->prepare('DELETE FROM detections WHERE File_Name = :file_name LIMIT 1');
|
||||
|
||||
Reference in New Issue
Block a user