mike503
commented
9 years ago in utils/xhprof_lib.php it's due to this. what is the point of this?
if ($k === 'run') {
$p = implode(',', array_filter(explode(',', $p), 'ctype_xdigit'));
}Closed mike503 closed 8 years ago
mike503
commented
9 years ago in utils/xhprof_lib.php it's due to this. what is the point of this?
if ($k === 'run') {
$p = implode(',', array_filter(explode(',', $p), 'ctype_xdigit'));
}ping
epriestley
commented
8 years ago Imagine ?run=../../../../etc/passwd.
mike503
commented
8 years ago Then there should still be a better way to deal with this. Accept a parameter but append .xhprof to it - always.
I forget now but the path isn't part of it. The directory is already forced in code. Basename() the param - something like that.
I have runs in /tmp that will load if I force a $run = $_GET['run']; in index.php
If I do not FORCE $run, only runs that match [a-f0-9] will be loaded.
So far I cannot figure out why it is not extracting $run from the query string with a limited character set. But this really messes things up when you want to define custom run_ids and they do not conform to a purely [a-f0-9] type naming convention.