LX3JL/xlxd
1
0
Fork 0
mirror of https://github.com/LX3JL/xlxd.git synced 2025-12-06 07:42:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix hard-coded path issues that stopped flags from showing - simplified

Browse source
This commit is contained in:
Andy Taylor 2025-10-21 10:36:13 +01:00
parent e21fa2e404
commit 50078541eb
1 changed files with 5 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
dashboard/pgs/class.reflector.php
View file

@ -149,28 +149,13 @@ class xReflector {
}
public function SetFlagFile($Flagfile) {
// Prevent path traversal - get the real path
// Security: Only allow country.csv from the pgs directory
$expectedFile = dirname(__FILE__) . '/country.csv';
$realPath = realpath($Flagfile);
// If realpath fails, the file doesn't exist
if ($realPath === false) {
error_log("Flag file does not exist: " . $Flagfile);
return false;
}
// Security: Ensure it's the country.csv file we expect
if (basename($realPath) !== 'country.csv') {
error_log("Flag file must be country.csv, got: " . basename($realPath));
return false;
}
// Security: Ensure the file is in the same directory as this class file or subdirectory
$thisDir = dirname(__FILE__); // Gets /path/to/pgs
$thisDirReal = realpath($thisDir);
// The flag file must be in the same directory as this class
if (dirname($realPath) !== $thisDirReal) {
error_log("Flag file must be in the same directory as class files. Expected: " . $thisDirReal . ", Got: " . dirname($realPath));
// Must resolve to the exact expected file
if ($realPath !== $expectedFile) {
error_log("Flag file must be country.csv in pgs directory. Expected: " . $expectedFile . ", Got: " . $realPath);
return false;
}