Conversation
gadgetchains/Magento2/FI/1/chain.php
Outdated
| $parameters = parent::process_parameters($parameters); | ||
| // Remove the .php suffix if it has been specified, as it will be added | ||
| // by the application. | ||
| $parameters['remote_path'] = preg_replace('#.php$#', '', $parameters['remote_path']); |
There was a problem hiding this comment.
| $parameters['remote_path'] = preg_replace('#.php$#', '', $parameters['remote_path']); | |
| $parameters['remote_path'] = preg_replace('#.php$#i', '', $parameters['remote_path']); |
gadgetchains/Magento2/FI/2/chain.php
Outdated
| $parameters = parent::process_parameters($parameters); | ||
| // Remove the prefix and suffix if they have been specified, as they | ||
| // will be added by the application. | ||
| $parameters['remote_path'] = preg_replace('#(^rsl::|.php$)#', '', $parameters['remote_path']); |
There was a problem hiding this comment.
| $parameters['remote_path'] = preg_replace('#(^rsl::|.php$)#', '', $parameters['remote_path']); | |
| $parameters['remote_path'] = preg_replace('#(^rsl::|.php$)#i', '', $parameters['remote_path']); |
Are you sure this will remove both the prefix and the suffix if both are present?
There was a problem hiding this comment.
I can see why you'd ask as it seems like an OR in the pattern so perhaps only one replacement would take place.. however:
php > $filename = 'rsl::foobar.php';
php > $filename = preg_replace('#(^rsl::|.php$)#', '', $filename);
php > print $filename;
foobar
I did have to check to be certain though!
Good suggestion to make the patterns case-insensitive.. but I'm not positive the include would work if the prefix was supplied in the payload in uppercase. Will add the i flag anyway.
|
Actually if we're going to remove the prefix, we should do that on the file part of the path; I'll tweak the pre-processing shortly. |
I think this does what we want now, and it seems pretty unlikely that |
gadgetchains/Magento2/FI/2/chain.php
Outdated
| $parameters = parent::process_parameters($parameters); | ||
| // Remove the prefix and suffix if they have been specified, as they | ||
| // will be added by the application. | ||
| $parameters['remote_path'] = preg_replace('#(rsl::|.php$)#i', '', $parameters['remote_path']); |
There was a problem hiding this comment.
| $parameters['remote_path'] = preg_replace('#(rsl::|.php$)#i', '', $parameters['remote_path']); | |
| $parameters['remote_path'] = preg_replace('#(rsl::|[.]php$)#i', '', $parameters['remote_path']); |
Otherwise . will match any char :)
There was a problem hiding this comment.
Well spotted! Thanks.
3 participants
No description provided.