diff --git a/lib/configonlylib.php b/lib/configonlylib.php index 86568ed0cf3..72e5d5143ae 100644 --- a/lib/configonlylib.php +++ b/lib/configonlylib.php @@ -168,9 +168,11 @@ function min_enable_zlib_compression() { * Note: ".php" is NOT allowed in slasharguments, * it is intended for ASCII characters only. * + * @param boolean $clean - Should we do cleaning on this path argument. If you set this + * to false you MUST be very careful and do the cleaning manually. * @return string */ -function min_get_slash_argument() { +function min_get_slash_argument($clean = true) { // Note: This code has to work in the same cases as normal get_file_argument(), // but at the same time it may be simpler because we do not have to deal // with encodings and other tricky stuff. @@ -180,7 +182,12 @@ function min_get_slash_argument() { if (!empty($_GET['file']) and strpos($_GET['file'], '/') === 0) { // Server is using url rewriting, most probably IIS. // Always clean the result of this function as it may be used in unsafe calls to send_file. - return min_clean_param($_GET['file'], 'SAFEPATH'); + $relativepath = $_GET['file']; + if ($clean) { + $relativepath = min_clean_param($relativepath, 'SAFEPATH'); + } + + return $relativepath; } else if (stripos($_SERVER['SERVER_SOFTWARE'], 'iis') !== false) { if (isset($_SERVER['PATH_INFO']) and $_SERVER['PATH_INFO'] !== '') { @@ -199,5 +206,8 @@ function min_get_slash_argument() { } // Always clean the result of this function as it may be used in unsafe calls to send_file. - return min_clean_param($relativepath, 'SAFEPATH'); + if ($clean) { + $relativepath = min_clean_param($relativepath, 'SAFEPATH'); + } + return $relativepath; } diff --git a/theme/yui_combo.php b/theme/yui_combo.php index 49578085088..9442d395e47 100644 --- a/theme/yui_combo.php +++ b/theme/yui_combo.php @@ -458,7 +458,7 @@ function combo_params() { // note: buggy or misconfigured IIS does return the query string in REQUEST_URI return array($_SERVER['QUERY_STRING'], false); - } else if ($slashargument = min_get_slash_argument()) { + } else if ($slashargument = min_get_slash_argument(false)) { $slashargument = ltrim($slashargument, '/'); return array($slashargument, true);