From ee6d938a7d19175d6f91e0f09a4c0c247fb61397 Mon Sep 17 00:00:00 2001
From: Chris Kankiewicz <Chris@ChrisKankiewicz.com>
Date: Wed, 8 May 2013 09:14:53 -0700
Subject: [PATCH] Added some protection against hashing files outside of the
 listed folder tree

---
 resources/DirectoryLister.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/resources/DirectoryLister.php b/resources/DirectoryLister.php
index c5133f7f6..c71e20c27 100644
--- a/resources/DirectoryLister.php
+++ b/resources/DirectoryLister.php
@@ -245,6 +245,22 @@ public function getFileHash($filePath) {
         // Placeholder array
         $hashArray = array();
 
+        // Verify file path exists and is a directory
+        if (!file_exists($filePath)) {
+            return json_encode($hashArray);
+        }
+
+        // Prevent access to hidden files
+        if ($this->_isHidden($filePath)) {
+            return json_encode($hashArray);
+        }
+
+        // Prevent access to parent folders
+        if (strpos($filePath, '<') !== false || strpos($filePath, '>') !== false
+        || strpos($filePath, '..') !== false || strpos($filePath, '/') === 0) {
+            return json_encode($hashArray);
+        }
+
         // Generate file hashes
         $hashArray['md5']    = hash_file('md5', $filePath);
         $hashArray['sha1']   = hash_file('sha1', $filePath);