diff --git a/listdir.php b/listdir.php index 43b2f4e..4412086 100644 --- a/listdir.php +++ b/listdir.php @@ -8,6 +8,13 @@ $max_results = 100; // will break; once we reach limit, -1 for no limit $motd = "get fucked"; $script_name = "listdir.php"; +function encode_path($path){ + + return implode("/", array_map(function($v){ + return urlencode($v); + }, explode("/", $path))); +} + function do_error($code, $title, $text, $motd, $script_name){ http_response_code($code); @@ -179,7 +186,7 @@ if(isset($_GET["query"])){ break; case "pcre": - $match = preg_match($query, $filename); + $match = @preg_match($query, $filename); if($match === false){ @@ -224,7 +231,7 @@ if(isset($_GET["query"])){ '' . '' . ($is_dir ? "<DIR>" : "<FILE>") . '' . '' . - '' . + '' . htmlspecialchars( $filename ) . @@ -321,7 +328,7 @@ if(is_dir($realpath)){ $up = explode("/", $relative_path); unset($up[count($up) - 1]); - $up = $script_name . "?path=" . urlencode(implode("/", $up)); + $up = $script_name . "?path=" . encode_path(implode("/", $up)); } do_header("index of " . $relative_path, "", "and", false, "", $up); @@ -342,7 +349,7 @@ if(is_dir($realpath)){ '' . '' . ($is_dir ? "<DIR>" : "<FILE>") . '' . '' . - '' . + '' . htmlspecialchars( $filename ) . @@ -367,7 +374,7 @@ if(is_dir($realpath)){ echo '' . - '<PREV>' . + '<PREV>' . ''; }else{ @@ -382,7 +389,7 @@ if(is_dir($realpath)){ echo '' . - '<NEXT>' . + '<NEXT>' . ''; }else{