From af120fdda3622c1e03570507cfb597b119a4ad4a Mon Sep 17 00:00:00 2001 From: ahaber Date: Wed, 22 Jan 2014 15:27:05 +0100 Subject: [PATCH] fix for issue #8 adds checks for file extension of referenced bibtexfiles --- .gitignore | 1 + bibtexbrowser.php | 4 ++++ 2 files changed, 5 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d8fe4fa --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/.project diff --git a/bibtexbrowser.php b/bibtexbrowser.php index af8c346..ddb281c 100755 --- a/bibtexbrowser.php +++ b/bibtexbrowser.php @@ -213,6 +213,10 @@ function _zetDB($bibtex_filenames) { set_magic_quotes_runtime(false); } + // get file extension to only allow .bib files + $ext = pathinfo($bib, PATHINFO_EXTENSION); + // this is a security protection + if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) { // default bib file, if no file is specified in the query string. if (!isset($bibtex_filenames) || $bibtex_filenames == "") { default_message();