diff options
| author | Andrew Dolgov <[email protected]> | 2020-09-14 19:46:52 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2020-09-14 19:46:52 +0300 |
| commit | c3d14e1fa54c7dade7b1b7955575e2991396d7ef (patch) | |
| tree | adf8415ace77f14bf8042cb518d0c78fecc5baef /classes/pluginhost.php | |
| parent | 5b17fdc36281dd11e4ba0830f368a29aaba134da (diff) | |
- fix multiple vulnerabilities in af_proxy_http
- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
Diffstat (limited to 'classes/pluginhost.php')
| -rwxr-xr-x | classes/pluginhost.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/classes/pluginhost.php b/classes/pluginhost.php index 4fec13000..c6c036783 100755 --- a/classes/pluginhost.php +++ b/classes/pluginhost.php @@ -193,7 +193,7 @@ class PluginHost { foreach ($plugins as $class) { $class = trim($class); - $class_file = strtolower(clean_filename($class)); + $class_file = strtolower(basename(clean($class))); if (!is_dir(__DIR__."/../plugins/$class_file") && !is_dir(__DIR__."/../plugins.local/$class_file")) continue; |