mirror/minify
1
0
Fork 0
mirror of https://github.com/mrclay/minify.git synced 2025-08-25 23:06:14 +02:00
Code Issues Releases Wiki Activity

Fixes #261: verify query string params are not arrays

Browse Source
This commit is contained in:
Steve Clay
2012-06-04 11:49:44 -04:00
parent 8fdf3db564
commit 666cd6d89a
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
min/lib/Minify/Controller/MinApp.php
View File

@@ -38,6 +38,10 @@ class Minify_Controller_MinApp extends Minify_Controller_Base {
$firstMissingResource = null;
if (isset($_GET['g'])) {
if (! is_string($_GET['g'])) {
$this->log("GET param 'g' was invalid");
return $options;
}
// add group(s)
$this->selectionId .= 'g=' . $_GET['g'];
$keys = explode(',', $_GET['g']);
@@ -92,6 +96,10 @@ class Minify_Controller_MinApp extends Minify_Controller_Base {
}
}
if (! $cOptions['groupsOnly'] && isset($_GET['f'])) {
if (! is_string($_GET['f'])) {
$this->log("GET param 'f' was invalid");
return $options;
}
// try user files
// The following restrictions are to limit the URLs that minify will
// respond to.
@@ -120,7 +128,8 @@ class Minify_Controller_MinApp extends Minify_Controller_Base {
}
if (isset($_GET['b'])) {
// check for validity
if (preg_match('@^[^/]+(?:/[^/]+)*$@', $_GET['b'])
if (is_string($_GET['b'])
&& preg_match('@^[^/]+(?:/[^/]+)*$@', $_GET['b'])
&& false === strpos($_GET['b'], '..')
&& $_GET['b'] !== '.') {
// valid base