diff options
author | piernov <piernov@piernov.org> | 2016-05-02 19:58:11 +0200 |
---|---|---|
committer | piernov <piernov@piernov.org> | 2016-05-02 19:58:11 +0200 |
commit | 035a477c4f30180edecead29e8bcda34a0725881 (patch) | |
tree | 6a374e2d6049c4a10f301a1278d719ad99916259 | |
parent | 49aaf3ec355f783507875381a426ea350f0cdea1 (diff) | |
download | candybox-035a477c4f30180edecead29e8bcda34a0725881.tar.gz candybox-035a477c4f30180edecead29e8bcda34a0725881.tar.bz2 candybox-035a477c4f30180edecead29e8bcda34a0725881.tar.xz candybox-035a477c4f30180edecead29e8bcda34a0725881.zip |
Better when the user isn't allowed of deleting arbitrary files…
Thanks PHP for not highligthing the problem and not providing simple solution…
-rw-r--r-- | inc/savegame.inc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/inc/savegame.inc b/inc/savegame.inc index 2f8c70a..0dfb1c8 100644 --- a/inc/savegame.inc +++ b/inc/savegame.inc @@ -73,8 +73,9 @@ function parseSave($xml, &$table) { // Passing $table by reference function deleteSave() { if(empty($_POST["filename"])) return; - $filename = $_POST["filename"]; - if(unlink(SAVEDIR + "/" + $filename)) sendError("gamesave_delete_failed"); + $path = SAVEDIR . "/" . basename($_POST["filename"]); // remove any leading directory + if(file_exists($path) && unlink($path)) + sendError("gamesave_delete_failed"); else sendInfo("gamesave_delete_success"); } |