1.3 KiB
1.3 KiB
This was quickly converted from an e-mail, please consider it "temporary".
Each file specified by $_GET['f'] must:
- Have the same extension, either "css" or "js",
- Exist, and...
- Have a realpath() within a whitelist of subdirectories.
The default whitelist contains only DOCUMENT_ROOT, but can be specified.
Then, a few more steps just to be paranoid:
- If a base was given by
$_GET['b'], it can't have "..". $_GET['f']must not contain "//", "", or "./".- There can be no duplicates and only a limited number of files can be specified.