From: Michael M Slusarz <slusarz@curecanti.org>
Date: Tue, 25 May 2010 05:02:25 +0000 (-0600)
Subject: Filter subdir input
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=9342addbd2b95f184f230773daa4faf5ef6d65e9;p=horde.git

Filter subdir input
---

diff --git a/horde/util/icon_browser.php b/horde/util/icon_browser.php
index e8ca6dfd2..e86b84436 100644
--- a/horde/util/icon_browser.php
+++ b/horde/util/icon_browser.php
@@ -34,7 +34,7 @@ if (($app = basename($vars->app)) && isset($apps[$app])) {
         exit(sprintf(_("Base graphics directory \"%s\" not found."), $dir));
     }
 
-    if (($subdir = basename($vars->subdir))) {
+    if (($subdir = basename(filter_var($vars->subdir, FILTER_SANITIZE_STRING)))) {
         $dir .= DIRECTORY_SEPARATOR . $subdir;
         if (!is_dir($dir)) {
             exit(sprintf(_("Subdirectory \"%s\" not found."), $dir));