Added some protection against hashing files outside of the listed fol…

…der tree
baoang · May 8, 2013 · ee6d938 · ee6d938
1 parent dc3fb68
commit ee6d938
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/resources/DirectoryLister.php b/resources/DirectoryLister.php
@@ -245,6 +245,22 @@ public function getFileHash($filePath) {
         // Placeholder array
         $hashArray = array();
 
+        // Verify file path exists and is a directory
+        if (!file_exists($filePath)) {
+            return json_encode($hashArray);
+        }
+
+        // Prevent access to hidden files
+        if ($this->_isHidden($filePath)) {
+            return json_encode($hashArray);
+        }
+
+        // Prevent access to parent folders
+        if (strpos($filePath, '<') !== false || strpos($filePath, '>') !== false
+        || strpos($filePath, '..') !== false || strpos($filePath, '/') === 0) {
+            return json_encode($hashArray);
+        }
+
         // Generate file hashes
         $hashArray['md5']    = hash_file('md5', $filePath);
         $hashArray['sha1']   = hash_file('sha1', $filePath);