From 31ffad39a8599338d4176f9ab823ef05b7105bd3 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 26 Feb 2014 22:32:19 +0100
Subject: [PATCH] fix security hole

missing check for passed parameters allows to read files on the server
---
 out/out.LogManagement.php               | 2 +-
 views/bootstrap/class.LogManagement.php | 8 ++------
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/out/out.LogManagement.php b/out/out.LogManagement.php
index 314e95d98..9375b9258 100644
--- a/out/out.LogManagement.php
+++ b/out/out.LogManagement.php
@@ -27,7 +27,7 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
-if (isset($_GET["logname"])) $logname=$_GET["logname"];
+if (isset($_GET["logname"])) $logname=basename($_GET["logname"]);
 else $logname=NULL;
 
 if (isset($_GET["mode"])) $mode=$_GET["mode"];
diff --git a/views/bootstrap/class.LogManagement.php b/views/bootstrap/class.LogManagement.php
index d60968706..22b764f8b 100644
--- a/views/bootstrap/class.LogManagement.php
+++ b/views/bootstrap/class.LogManagement.php
@@ -137,15 +137,11 @@ class SeedDMS_View_LogManagement extends SeedDMS_Bootstrap_Style {
 <?php
 		$this->htmlEndPage();
 		} elseif(file_exists($this->contentdir.$logname)){
-//			$this->htmlStartPage(getMLText("backup_tools"));
-
-//			$this->contentSubHeading(sanitizeString($logname));
-
 			echo $logname."<pre>\n";
 			readfile($this->contentdir.$logname);
 			echo "</pre>\n";
-
-//			echo "</body>\n</html>\n";
+		} else {
+			UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 		}
 
 	} /* }}} */