prevent directory traversal
This commit is contained in:
@@ -15,6 +15,10 @@ $db->busyTimeout(1000);
|
|||||||
|
|
||||||
if(isset($_GET['deletefile'])) {
|
if(isset($_GET['deletefile'])) {
|
||||||
ensure_authenticated('You must be authenticated to delete files.');
|
ensure_authenticated('You must be authenticated to delete files.');
|
||||||
|
if (preg_match('~^.*(\.\.\/).+$~', $_GET['deletefile'])) {
|
||||||
|
echo "Error";
|
||||||
|
die();
|
||||||
|
}
|
||||||
$db_writable = new SQLite3('./scripts/birds.db', SQLITE3_OPEN_READWRITE);
|
$db_writable = new SQLite3('./scripts/birds.db', SQLITE3_OPEN_READWRITE);
|
||||||
$db->busyTimeout(1000);
|
$db->busyTimeout(1000);
|
||||||
$statement1 = $db_writable->prepare('DELETE FROM detections WHERE File_Name = :file_name LIMIT 1');
|
$statement1 = $db_writable->prepare('DELETE FROM detections WHERE File_Name = :file_name LIMIT 1');
|
||||||
|
|||||||
Reference in New Issue
Block a user