Fixes #4324. Not allowing relative paths for dataroot in advance settings.

diff --git a/actions/admin/site/update_advanced.php b/actions/admin/site/update_advanced.php
index 23d622a62a28887ca8ae8d556617df9cfc2bb56a..897a2f98359343b189f591e275be28605234dd62 100644 (file)
--- a/actions/admin/site/update_advanced.php
+++ b/actions/admin/site/update_advanced.php
@@ -17,7 +17,24 @@ if ($site = elgg_get_site_entity()) {
        $site->url = get_input('wwwroot');
 
        datalist_set('path', sanitise_filepath(get_input('path')));
-       datalist_set('dataroot', sanitise_filepath(get_input('dataroot')));
+       $dataroot = sanitise_filepath(get_input('dataroot'));
+
+       // check for relative paths
+       if (stripos(PHP_OS, 'win') === 0) {
+               if (strpos($dataroot, ':') !== 1) {
+                       $msg = elgg_echo('admin:configuration:dataroot:relative_path', array($dataroot));
+                       register_error($msg);
+                       forward(REFERER);
+               }
+       } else {
+               if (strpos($dataroot, '/') !== 0) {
+                       $msg = elgg_echo('admin:configuration:dataroot:relative_path', array($dataroot));
+                       register_error($msg);
+                       forward(REFERER);
+               }
+       }
+
+       datalist_set('dataroot', $dataroot);
 
        if (get_input('simplecache_enabled')) {
                elgg_enable_simplecache();

diff --git a/languages/en.php b/languages/en.php
index 14df3db3406e348a9b53dd26812bfc4fba0e2151..e48f992d7467b16cd7390c651751f8a0877d3002 100644 (file)
--- a/languages/en.php
+++ b/languages/en.php
@@ -562,6 +562,7 @@ $english = array(
 
        'admin:configuration:success' => "Your settings have been saved.",
        'admin:configuration:fail' => "Your settings could not be saved.",
+       'admin:configuration:dataroot:relative_path' => 'Cannot set "%s" as the dataroot because it is not an absolute path.',
 
        'admin:unknown_section' => 'Invalid Admin Section.',