From 08cc7f673c377bf88897743e340097e93f1e95f4 Mon Sep 17 00:00:00 2001 From: ftimme <ft@falkotimme.com> Date: Wed, 16 Jan 2013 09:30:05 -0500 Subject: [PATCH] - Changed regex for redirect path (Web sites, subdomains, vhost subdomains, alias domains) and web folder (vhost subdomains) so that ".." is not allowed (in order to prevent path traversals). - nginx: don't allow folders for proxy redirects (subdomains and alias domains); URL is required. - nginx: modified rewriting. --- interface/lib/classes/validate_cron.inc.php | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/interface/lib/classes/validate_cron.inc.php b/interface/lib/classes/validate_cron.inc.php index d49c280..e551af3 100644 --- a/interface/lib/classes/validate_cron.inc.php +++ b/interface/lib/classes/validate_cron.inc.php @@ -78,7 +78,7 @@ if(preg_match("'^[0-9\-\,\/\*]+$'", $field_value) == false) return $this->get_error($validator['errmsg']); // allowed characters are 0-9, comma, *, -, / elseif(preg_match("'[\-\,\/][\-\,\/]'", $field_value) == true) return $this->get_error($validator['errmsg']); // comma, - and / never stand together //* now split list and check each entry. store used values in array for later limit-check - $time_list = split(",", $field_value); + $time_list = explode(",", $field_value); if(count($time_list) < 1) return $this->get_error($validator['errmsg']); $max_entry = 0; -- Gitblit v1.9.1