Fixed a security error in the server side file retriever script of the web app.

This commit is contained in:
josdejong 2013-07-31 21:42:09 +02:00
parent 02c5fa416b
commit 01f6112261
4 changed files with 15 additions and 8 deletions

View File

@ -7,6 +7,8 @@ http://jsoneditoronline.org
- Fixed non working option `indentation`. - Fixed non working option `indentation`.
- Fixed css not being loaded with AMD in case of multiple scripts. - Fixed css not being loaded with AMD in case of multiple scripts.
- Fixed a security error in the server side file retriever script of
the web application.
## 2013-05-27, version 2.2.1 ## 2013-05-27, version 2.2.1

View File

@ -51,14 +51,19 @@ if ($method == 'GET') {
'header' => "Accept: application/json\r\n" 'header' => "Accept: application/json\r\n"
) )
)); ));
$body = file_get_contents($url, false, $context); if (preg_match('/^https?:\/\//', $url)) { // only allow to fetch http:// and https:// urls
if ($body != false) { $body = file_get_contents($url, false, $context);
header("Content-Disposition: attachment; filename=\"$filename\""); if ($body != false) {
header('Content-type: application/json'); header("Content-Disposition: attachment; filename=\"$filename\"");
echo $body; header('Content-type: application/json');
echo $body;
}
else {
header('HTTP/1.1 404 Not Found');
}
} }
else { else {
header('HTTP/1.1 404 Not Found'); header('HTTP/1.1 403 Forbidden');
} }
} }
else if (isset($_GET['id'])) { else if (isset($_GET['id'])) {

View File

@ -1,6 +1,6 @@
{ {
"name": "jsoneditor", "name": "jsoneditor",
"version": "2.3.0-SNAPSHOT", "version": "2.2.2-SNAPSHOT",
"description": "A web-based tool to view, edit and format JSON", "description": "A web-based tool to view, edit and format JSON",
"tags": [ "tags": [
"json", "json",

View File

@ -1,6 +1,6 @@
{ {
"name": "jsoneditor", "name": "jsoneditor",
"version": "2.3.0-SNAPSHOT", "version": "2.2.2-SNAPSHOT",
"description": "A web-based tool to view, edit and format JSON", "description": "A web-based tool to view, edit and format JSON",
"tags": [ "tags": [
"json", "json",