From 358930b9bab0641d8a9f48a2a328061515a2998b Mon Sep 17 00:00:00 2001 From: plegall Date: Wed, 16 Nov 2005 21:18:56 +0000 Subject: - bug 207 fixed : security issue. Any visitor can reach any picture in picture.php only by deleting value for URL parameter "cat". git-svn-id: http://piwigo.org/svn/trunk@934 68402e56-0260-453c-a942-63ccdbb3a9ee --- picture.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'picture.php') diff --git a/picture.php b/picture.php index e597b6f64..b41de7112 100644 --- a/picture.php +++ b/picture.php @@ -31,6 +31,12 @@ define('PHPWG_ROOT_PATH','./'); include_once(PHPWG_ROOT_PATH.'include/common.inc.php'); //-------------------------------------------------- access authorization check check_cat_id( $_GET['cat'] ); + +if (!isset($page['cat'])) +{ + die($lang['access_forbiden']); +} + check_login_authorization(); if ( isset( $page['cat'] ) and is_numeric( $page['cat'] ) ) { -- cgit v1.2.3