thunix
/
wiki
3
1
Fork 5
Code Issues Pull Requests 1 Releases Wiki Activity

You can't escape the webroot

This commit is contained in:
southerntofu 2021-03-20 17:53:54 +01:00
parent 708dc5a3f1
commit 79b32dda8e
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
includes/nice_try.md Normal file
View File

@ -0,0 +1,3 @@
# Nice try, script kiddie
You thought you could escape the webroot?

9
wiki.php
View File

@ -9,6 +9,14 @@ include('parsedown-1.7.3/Parsedown.php');
$page = isset($_GET['page']) ? $_GET['page'] : 'main';
// Sanitize page request so we don't allow to read EVERY markdown file
// for example ../../../home/foobar/mysecretdocument
if (strpos($page, "../") !== false) {
$content_file = "includes/nice_try.md";
} else {
$content_file = "articles/$page.md";
}
$Parsedown = new Parsedown();
$Parsedown->setSafeMode(true);
@ -19,7 +27,6 @@ else
$header = file_get_contents("includes/header.md");
$sidebar = file_get_contents("includes/sidebar.md");
$content_file = "articles/$page.md";
$content = file_exists($content_file) ? file_get_contents($content_file) : str_replace('$page', "$page", file_get_contents("includes/404.md"));
$footer = file_get_contents("includes/footer.md");