sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use SCRIPT_NAME instead of PHP_SELF which won't send the PATH_INFO, this prevents XSS in old browsers. Thanks to Nico Golde.

remotes/origin/stable45
Lukas Reschke 2012-08-18 09:30:01 +07:00
parent f1cabdd8e0
commit 6ef5edf5ea
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/files/index.php
Unescape Escape View File

@ -39,7 +39,7 @@ OCP\App::setActiveNavigationEntry( 'files_index' );
$dir = isset( $_GET['dir'] ) ? stripslashes($_GET['dir']) : '';
// Redirect if directory does not exist
if(!OC_Filesystem::is_dir($dir.'/')) {
header('Location: '.$_SERVER['PHP_SELF'].'');
header('Location: '.$_SERVER['SCRIPT_NAME'].'');
exit();
}