fix Abitrary File Read

slims · Oct 27, 2017 · acb1130 · acb1130
1 parent 08ab295
commit acb1130
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/admin/help.php b/admin/help.php
@@ -39,7 +39,7 @@
 
 if(isset($_GET['url']) && !empty($_GET['url'])) {		
 	$file_path = HELP.'/'.$sysconf['default_lang'].'/'.$_GET['url'];
-	if(!file_exists($file_path)) {
+	if(!file_exists($file_path)|| !preg_match("/^.*\.(md)$/i", $file_path)) {
 		echo __('File Not Found');
 	} else {
 		//Convert Markdown to HTML