From 52ae19b001bfd9aab417466dcbdac5d3ee7fcafa Mon Sep 17 00:00:00 2001
From: michael <michael.sioutis@lip6.fr>
Date: Mon, 10 Dec 2012 17:02:14 +0100
Subject: [PATCH] php hole patching

---
 modules/planetlab.module           | 16 +++++++++++++++-
 plekit/php/logSorting.php          |  2 +-
 plekit/php/updateConfiguration.php |  2 +-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/modules/planetlab.module b/modules/planetlab.module
index 06aa259..2845f75 100644
--- a/modules/planetlab.module
+++ b/modules/planetlab.module
@@ -7,6 +7,7 @@
   //
   // $Id$
   //
+error_reporting(0);
 
 require_once 'plc_config.php';
 require_once 'plc_session.php';
@@ -346,6 +347,14 @@ function planetlab_user($type, &$edit, &$user, $category = NULL) {
   }
 }
 
+function isValidFileName($file) {
+
+    /* don't allow .. and allow any "word" character \ / */
+
+    return preg_match('/^(((?:\.)(?!\.))|\w)+$/', $file);
+
+}
+
 function planetlab_page() {
   $path = $_SERVER['DOCUMENT_ROOT'] . preg_replace('/^db\//', '/planetlab/', $_GET['q']);
 
@@ -367,7 +376,12 @@ function planetlab_page() {
       $output = ob_get_contents();
       ob_end_clean();
     } else {
-      $output = file_get_contents($path);
+         if (isValidFileName($path)) {
+            $output = file_get_contents($path);
+         }
+         else {
+            $output = "";
+         }
     }
     return $output;
   }
diff --git a/plekit/php/logSorting.php b/plekit/php/logSorting.php
index 69e98aa..084099a 100644
--- a/plekit/php/logSorting.php
+++ b/plekit/php/logSorting.php
@@ -17,7 +17,7 @@ $value=$_GET["value"];
 $person_id=$_GET["person_id"];
 $slice_id=$_GET["slice_id"];
 
-$myFile = "/var/log/myslice.log";
+$myFile = "/var/log/myslice/myslice.log";
 $fh = fopen($myFile, 'a') or die("can't open file");
 $stringData = date('Ymd-H:i')."|".$person_id.":".$slice_id.":".$value."\n";
 fwrite($fh, $stringData);
diff --git a/plekit/php/updateConfiguration.php b/plekit/php/updateConfiguration.php
index cb511c9..79a38bb 100644
--- a/plekit/php/updateConfiguration.php
+++ b/plekit/php/updateConfiguration.php
@@ -25,7 +25,7 @@ $res = $api->SetPersonColumnconf( $person_id, $value );
 else if ($tag_name == "showconf")
 $res = $api->SetPersonShowconf( $person_id, $value );
 
-$myFile = "/var/log/myslice.log";
+$myFile = "/var/log/myslice/myslice.log";
 if (file_exists($myFile))
 	$fh = fopen($myFile, 'a') or die("can't open file");
 
-- 
2.43.0