diff options
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/Tar.class.php | 28 | ||||
| -rw-r--r-- | inc/auth.php | 14 |
2 files changed, 22 insertions, 20 deletions
diff --git a/inc/Tar.class.php b/inc/Tar.class.php index d1a38ea0e..bc87d7d29 100644 --- a/inc/Tar.class.php +++ b/inc/Tar.class.php @@ -568,29 +568,23 @@ class Tar { } /** - * Cleans up a path and removes relative parts + * Cleans up a path and removes relative parts, also strips leading slashes * * @param string $p_dir * @return string */ - protected function cleanPath($p_dir) { - $r = ''; - if($p_dir) { - $subf = explode("/", $p_dir); - - for($i = count($subf) - 1; $i >= 0; $i--) { - if($subf[$i] == ".") { - # do nothing - } elseif($subf[$i] == "..") { - $i--; - } elseif(!$subf[$i] && $i != count($subf) - 1 && $i) { - # do nothing - } else { - $r = $subf[$i].($i != (count($subf) - 1) ? "/".$r : ""); - } + public function cleanPath($path) { + $path=explode('/', $path); + $newpath=array(); + foreach($path as $p) { + if ($p === '' || $p === '.') continue; + if ($p==='..') { + array_pop($newpath); + continue; } + array_push($newpath, $p); } - return $r; + return trim(implode('/', $newpath), '/'); } /** diff --git a/inc/auth.php b/inc/auth.php index be6b7ebbe..1c0bf5b4f 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -136,22 +136,30 @@ function auth_loadACL() { $acl = file($config_cascade['acl']['default']); - //support user wildcard $out = array(); foreach($acl as $line) { $line = trim($line); if($line{0} == '#') continue; list($id,$rest) = preg_split('/\s+/',$line,2); + // substitue user wildcard first (its 1:1) + if(strstr($line, '%USER%')){ + // if user is not logged in, this ACL line is meaningless - skip it + if (!isset($_SERVER['REMOTE_USER'])) continue; + + $id = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id); + $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest); + } + + // substitute group wildcard (its 1:m) if(strstr($line, '%GROUP%')){ + // if user is not logged in, grps is empty, no output will be added (i.e. skipped) foreach((array) $USERINFO['grps'] as $grp){ $nid = str_replace('%GROUP%',cleanID($grp),$id); $nrest = str_replace('%GROUP%','@'.auth_nameencode($grp),$rest); $out[] = "$nid\t$nrest"; } } else { - $id = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id); - $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest); $out[] = "$id\t$rest"; } } |