function testSanitizers() { $this->assertEquals("test.conf", wmeSanitizeConfigFile("test.conf")); $this->assertEquals("te-st.conf", wmeSanitizeConfigFile("te-st.conf")); $this->assertEquals("", wmeSanitizeConfigFile("test")); $this->assertEquals("", wmeSanitizeConfigFile("test.png")); $this->assertEquals("", wmeSanitizeConfigFile("index.php")); $this->assertEquals("", wmeSanitizeConfigFile(".htaccess")); $this->assertEquals("", wmeSanitizeConfigFile("../../conf/apache.conf")); $this->assertEquals("", wmeSanitizeConfigFile("../../etc/passwd")); $this->assertEquals("", wmeSanitizeConfigFile("file*.conf")); $this->assertEquals("fish.ext1", wmeSanitizeFile("fish.ext1", array("ext1", "ext2"))); $this->assertEquals("", wmeSanitizeFile("fish.ext1", array("ext2", "ext3"))); $this->assertEquals("", wmeSanitizeFile("fish", array("ext2", "ext3"))); }
function wmeSanitizeConfigFile($filename) { # If we've been fed something other than a .conf filename, just pretend it didn't happen $filename = wmeSanitizeFile($filename, array("conf")); # on top of the url stuff, we don't ever need to see a / in a config filename # (CVE-2013-3739) if (strstr($filename, "/") !== false) { $filename = ""; } if (strstr($filename, "?") !== false) { $filename = ""; } if (strstr($filename, "*") !== false) { $filename = ""; } return $filename; }