Add additional check for allowed feed tpls (#431)

2016-12-14 12:43:50 +01:00 · 2016-12-14 12:43:50 +01:00 · e9f98f80f0
commit e9f98f80f0
parent cb03731e90
1 changed files with 7 additions and 0 deletions
--- a/rss.php
+++ b/rss.php
@ -20,6 +20,13 @@ $comments    = FALSE;

 if (empty($version)) {
    list($version) = serendipity_discover_rss($_GET['file'], $_GET['ext']);
+} else {
+    # be sure it is an allowed version, to prevent attackers sniffing for unrelated files on the file system
+    $allowed_versions = ['opml1.0', '0.91', '1.0',  '2.0', 'atom0.3', 'atom1.0'];
+    if (! in_array($version, $allowed_versions)) {
+        header('Status: 404 Not Found');
+        exit;
+    }
 }

 if (isset($_GET['category'])) {