Some code added to protect from directory traversal attack.

SUKOHI · Apr 8, 2015 · d22337d · d22337d
1 parent e459d05
commit d22337d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -85,6 +85,9 @@ Usage
 		'surpass' => $surpass
 			
 	]);
+
+
+*Note: method dir('dir_name') can no longer receive "/" and "." to protect from directory traversal attack.
 
 **Upload  (in View)**
 

diff --git a/src/Sukohi/Surpass/Surpass.php b/src/Sukohi/Surpass/Surpass.php
@@ -50,7 +50,7 @@ public function path($path) {
 
     public function dir($dir) {
 
-        $this->_dir = $dir;
+        $this->_dir = str_replace(["\0", '/', '.'], '', $dir);
         $this->_id_hidden_name = self::ID_HIDDEN_NAME .'_'. $dir;
         return $this;
-Original file line number
+Diff line change
@@ Expand Up / @@ -85,6 +85,9 @@ Usage @@
     		'surpass' => $surpass
     	]);
+    *Note: method dir('dir_name') can no longer receive "/" and "." to protect from directory traversal attack.
     **Upload  (in View)**
@@ Expand Down @@