aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--include/functions.inc.php14
-rw-r--r--include/ws_functions.inc.php6
2 files changed, 20 insertions, 0 deletions
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 093f207e9..513054ab9 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1540,4 +1540,18 @@ function convert_charset($str, $source_charset, $dest_charset)
}
return $str; //???
}
+
+/**
+ * makes sure a index.htm protects the directory from browser file listing
+ *
+ * @param string dir directory
+ */
+function secure_directory($dir)
+{
+ $file = $dir.'/index.htm';
+ if (!file_exists($file))
+ {
+ @file_put_contents($file, 'Not allowed!');
+ }
+}
?> \ No newline at end of file
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php
index 24170ec47..2e96370e1 100644
--- a/include/ws_functions.inc.php
+++ b/include/ws_functions.inc.php
@@ -951,6 +951,8 @@ SELECT
}
}
+ secure_directory($upload_dir);
+
// compute file path
$date_string = preg_replace('/[^\d]/', '', $dbnow);
$random_string = substr($params['file_sum'], 0, 8);
@@ -994,6 +996,8 @@ SELECT
}
}
+ secure_directory($thumbnail_dir);
+
// thumbnail path, the filename may use a prefix and the extension is
// always "jpg" (no matter what the real file format is)
$thumbnail_path = sprintf(
@@ -1044,6 +1048,8 @@ SELECT
}
}
+ secure_directory($high_dir);
+
// high resolution path, same name as web size file
$high_path = sprintf(
'%s/%s.%s',