aboutsummaryrefslogtreecommitdiffstats
path: root/admin/plugin.php
diff options
context:
space:
mode:
Diffstat (limited to 'admin/plugin.php')
-rw-r--r--admin/plugin.php20
1 files changed, 14 insertions, 6 deletions
diff --git a/admin/plugin.php b/admin/plugin.php
index a057e87c8..1657f10c8 100644
--- a/admin/plugin.php
+++ b/admin/plugin.php
@@ -33,27 +33,35 @@ if( !defined("PHPWG_ROOT_PATH") )
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
check_status(ACCESS_ADMINISTRATOR);
-$section = explode('~', $_GET['section'] );
-if (count($section)!=2)
+$sections = explode('/', $_GET['section'] );
+for ($i=0; $i<count($sections); $i++)
+{
+ if (empty($sections[$i]) or $sections[$i]=='..')
+ {
+ unset($sections[$i]);
+ $i--;
+ }
+}
+
+if (count($sections)<2)
{
die('Invalid plugin URL');
}
-$plugin_id = $section[0];
+$plugin_id = $sections[0];
$check_db_plugin = get_db_plugins('active', $plugin_id );
if (empty($check_db_plugin))
{
die('Invalid URL - plugin '.$plugin_id.' not active');
}
-$section[1]=str_replace('./', '', $section[1]); // no up in dir structure
-$filename = PHPWG_PLUGINS_PATH.$plugin_id.'/'.$section[1].'.php';
+$filename = PHPWG_PLUGINS_PATH.implode('/', $sections);
if (is_file($filename))
{
include_once($filename);
}
else
{
- die('Missing '.$filename);
+ die('Missing file '.$filename);
}
?> \ No newline at end of file