2 files changed, 24 insertions, 7 deletions

diff --git a/engine/lib/database.php b/engine/lib/database.php
index 03770f4bf..41c514b69 100644
--- a/engine/lib/database.php
+++ b/engine/lib/database.php
@@ -670,7 +670,10 @@
     

         function get_data($query, $callback = "") {

             

-            global $CONFIG, $dbcalls;

+            global $CONFIG, $dbcalls;
+            
+            if (!callpath_gatekeeper($CONFIG->path . "engine/", true, true))
+            	throw new DatabaseException("Access to privileged function 'get_data()' is denied.");

             

             $dblink = get_db_link('read');

             

@@ -712,7 +715,10 @@
     

         function get_data_row($query) {

             

-            global $CONFIG, $dbcalls;

+            global $CONFIG, $dbcalls;
+            
+            if (!callpath_gatekeeper($CONFIG->path . "engine/", true, true))
+            	throw new DatabaseException("Access to privileged function 'get_data_row()' is denied.");

             

             $dblink = get_db_link('read');

             

@@ -748,7 +754,10 @@
     

         function insert_data($query) {

             

-            global $dbcalls;

+            global $dbcalls;
+            
+            if (!callpath_gatekeeper($CONFIG->path . "engine/", true, true))
+            	throw new DatabaseException("Access to privileged function 'insert_data()' is denied.");

             

             $dblink = get_db_link('write');

             

@@ -772,7 +781,10 @@
     

         function update_data($query) {

             

-            global $dbcalls;

+            global $dbcalls, $CONFIG;
+            
+            if (!callpath_gatekeeper($CONFIG->path . "engine/", true, true))
+            	throw new DatabaseException("Access to privileged function 'update_data()' is denied.");

             

             $dblink = get_db_link('write');

             

@@ -797,7 +809,10 @@
     

         function delete_data($query) {

             

-            global $dbcalls;

+            global $dbcalls, $CONFIG;
+            
+            if (!callpath_gatekeeper($CONFIG->path . "engine/", true, true))
+            	throw new DatabaseException("Access to privileged function 'delete_data()' is denied.");

             

             $dblink = get_db_link('write');

             

diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index 4a6c417bd..b5f4870bc 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -1066,12 +1066,14 @@
 			{
 				if ($include_subdirs)
 				{
-					if (strpos($call['file'], $path) === 0)
+					if (strpos($call['file'], $path) === 0) {
 						if ($strict_mode) {
-							if ($callstack[2] === $call) return true;
+							if ($callstack[1] === $call) return true;
 						}
 						else
 							return true;
+					}
+					else echo ":{$call['file']}:$path: FAIL\n";
 				}
 				else
 				{