From ec474c8f70406149ec515a0e09020ecd1b5292ec Mon Sep 17 00:00:00 2001
From: Brett Profitt <brett.profitt@gmail.com>
Date: Tue, 24 Apr 2012 10:41:25 -0700
Subject: Fixes #4324. Not allowing relative paths for dataroot in advance
 settings.

---
 actions/admin/site/update_advanced.php | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

(limited to 'actions/admin')

diff --git a/actions/admin/site/update_advanced.php b/actions/admin/site/update_advanced.php
index 23d622a62..897a2f983 100644
--- a/actions/admin/site/update_advanced.php
+++ b/actions/admin/site/update_advanced.php
@@ -17,7 +17,24 @@ if ($site = elgg_get_site_entity()) {
 	$site->url = get_input('wwwroot');
 
 	datalist_set('path', sanitise_filepath(get_input('path')));
-	datalist_set('dataroot', sanitise_filepath(get_input('dataroot')));
+	$dataroot = sanitise_filepath(get_input('dataroot'));
+
+	// check for relative paths
+	if (stripos(PHP_OS, 'win') === 0) {
+		if (strpos($dataroot, ':') !== 1) {
+			$msg = elgg_echo('admin:configuration:dataroot:relative_path', array($dataroot));
+			register_error($msg);
+			forward(REFERER);
+		}
+	} else {
+		if (strpos($dataroot, '/') !== 0) {
+			$msg = elgg_echo('admin:configuration:dataroot:relative_path', array($dataroot));
+			register_error($msg);
+			forward(REFERER);
+		}
+	}
+
+	datalist_set('dataroot', $dataroot);
 
 	if (get_input('simplecache_enabled')) {
 		elgg_enable_simplecache();
-- 
cgit v1.2.3