From d032345191c57294d5723639f777692c85bd2b1a Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Mon, 7 May 2012 13:20:43 +0200
Subject: [PATCH] fix validation of getfile parameter - i hate this bloody
 merge conflicts

---
 lib/base.php   | 4 ++--
 lib/helper.php | 6 ++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/lib/base.php b/lib/base.php
index 40df2b0c56..14f2439ecb 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -443,8 +443,8 @@ class OC{
 			$_GET['getfile'] = $file;
 		}
 		if(!is_null(self::$REQUESTEDFILE)){
-			$subdir = OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE;
-			$parent = OC::$APPSROOT . '/' . self::$REQUESTEDAPP;
+			$subdir = OC::$APPSROOT . '/apps/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE;
+			$parent = OC::$APPSROOT . '/apps/' . self::$REQUESTEDAPP;
 			if(!OC_Helper::issubdirectory($subdir, $parent)){
 				self::$REQUESTEDFILE = null;
 				header('HTTP/1.0 404 Not Found');
diff --git a/lib/helper.php b/lib/helper.php
index 2ddd5e7b77..5422d88398 100644
--- a/lib/helper.php
+++ b/lib/helper.php
@@ -576,14 +576,12 @@ class OC_Helper {
 				return true;
 			}
 		}
-		/*
-		echo 'SUB: ' . $sub . "\n";
+		/*echo 'SUB: ' . $sub . "\n";
 		echo 'PAR: ' . $parent . "\n";
 		echo 'REALSUB: ' . $realpath_sub . "\n";
 		echo 'REALPAR: ' . $realpath_parent . "\n";
 		echo substr($realpath_sub, 0, strlen($realpath_parent));
-		exit;
-		*/
+		exit;*/
 		return false;
 	}
 }
-- 
GitLab