From 48f5b9ab822494bba3db7f4b24e9e375defd7984 Mon Sep 17 00:00:00 2001
From: Fil <fil@rezo.net>
Date: Mon, 2 May 2005 07:39:52 +0000
Subject: [PATCH] =?UTF-8?q?s=C3=A9curit=C3=A9=20de=20page.php3=20:=20v?=
 =?UTF-8?q?=C3=A9rfier=20que=20le=20squelette=20vis=C3=A9=20se=20trouve=20?=
 =?UTF-8?q?dans=20squelettes/=20=20(ou=20un=20de=20ses=20sous-repertoires)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 page.php3 | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/page.php3 b/page.php3
index 77ca196aa1..da4228577e 100644
--- a/page.php3
+++ b/page.php3
@@ -1,12 +1,21 @@
 <?php
 
-$fond = $_GET["fond"];
+if (!$fond = $_GET["fond"]) {
+	$fond = $contexte_inclus['fond'];
+}
 
-if (ereg("\/", $fond)) die ("Ben voyons");
-if (strpos("\.\.", $fond) > 0) die ("Faut pas se gener");
+// Securite : le squelette *doit* exister dans squelettes/
+if (strstr($fond, '..')) {
+	die ("Faut pas se gener");
+}
+if (!function_exists('find_in_path')) {
+	include ('ecrire/inc_version.php3');
+}
+if (preg_match(',^squelettes/,', find_in_path("$fond.html"))) {
+	include ("inc-public.php3");
+} else {
+	spip_log("page.php3: le squelette $fond.html *doit* se trouver dans squelettes/");
+}
 
-$delais = 24 * 3600;
-
-include ("inc-public.php3");
 
 ?>
-- 
GitLab