public/cached_url: forbid sending files with extensions

2019-08-14 10:45:46 +03:00 · 2019-08-14 10:45:46 +03:00 · 39f459eb04
parent d2f1cbfcb1
commit 39f459eb04
1 changed files with 3 additions and 0 deletions
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@ -1204,6 +1204,9 @@ class Handler_Public extends Handler {
 	function cached_url() {
 		list ($cache_dir, $filename) = explode("/", $_GET["file"], 2);

+		// we do not allow files with extensions at the moment
+		$filename = str_replace(".", "", $filename);
+
 		$cache = new DiskCache($cache_dir);

 		if ($cache->exists($filename)) {