From 058f8a11687f979e597c6f32b1836535ba5b4b88 Mon Sep 17 00:00:00 2001 From: ahaber Date: Tue, 29 Apr 2014 11:05:23 +0200 Subject: [PATCH] fixed XSS for non existing bib files --- bibtexbrowser.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bibtexbrowser.php b/bibtexbrowser.php index e4a1e95..edf2475 100755 --- a/bibtexbrowser.php +++ b/bibtexbrowser.php @@ -238,15 +238,15 @@ function _zetDB($bibtex_filenames) { // ---------------------------- HANDLING unexistent files foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) { - + $saveBib = htmlEntities($bib, ENT_QUOTES); // get file extension to only allow .bib files - $ext = pathinfo($bib, PATHINFO_EXTENSION); + $ext = pathinfo($saveBib, PATHINFO_EXTENSION); // this is a security protection - if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) { + if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($saveBib) || strcasecmp($ext, 'bib') != 0)) { // to automate dectection of faulty links with tools such as webcheck header('HTTP/1.1 404 Not found'); - die('the bib file '.$bib.' does not exist !'); + die('the bib file '.$saveBib.' does not exist !'); } } // end for each