Fixed a security error in the server side file retriever script of the web app.

This commit is contained in:
josdejong 2013-07-31 21:42:09 +02:00
parent 02c5fa416b
commit 01f6112261
4 changed files with 15 additions and 8 deletions

View File

@ -7,6 +7,8 @@ http://jsoneditoronline.org
- Fixed non working option `indentation`.
- Fixed css not being loaded with AMD in case of multiple scripts.
- Fixed a security error in the server side file retriever script of
the web application.
## 2013-05-27, version 2.2.1

View File

@ -51,6 +51,7 @@ if ($method == 'GET') {
'header' => "Accept: application/json\r\n"
)
));
if (preg_match('/^https?:\/\//', $url)) { // only allow to fetch http:// and https:// urls
$body = file_get_contents($url, false, $context);
if ($body != false) {
header("Content-Disposition: attachment; filename=\"$filename\"");
@ -61,6 +62,10 @@ if ($method == 'GET') {
header('HTTP/1.1 404 Not Found');
}
}
else {
header('HTTP/1.1 403 Forbidden');
}
}
else if (isset($_GET['id'])) {
// retrieve the file with given id from disk, return it,
// and remove it from disk

View File

@ -1,6 +1,6 @@
{
"name": "jsoneditor",
"version": "2.3.0-SNAPSHOT",
"version": "2.2.2-SNAPSHOT",
"description": "A web-based tool to view, edit and format JSON",
"tags": [
"json",

View File

@ -1,6 +1,6 @@
{
"name": "jsoneditor",
"version": "2.3.0-SNAPSHOT",
"version": "2.2.2-SNAPSHOT",
"description": "A web-based tool to view, edit and format JSON",
"tags": [
"json",