rel #31941: fix customized directory traversal protection for shared hosting...

rel #31941: fix customized directory traversal protection for shared hosting Bokeh with dedicated virtual host

VERSIONS_HOTLINE/31941

+ - ticket #31941 : Correction compatibilité explorateur de fichier / hébergement mutualisé sans sous-répertoire
\ No newline at end of file

ckeditor/core_five_filemanager/connectors/php/filemanager.php

@@ -24,18 +24,14 @@ header('Content-type: application/json');
  * @param string $path
  */
 function opacTraversalProtect ($path) {
-	$path = (string)$path;
-	$parts = explode('/', $path);
-	array_shift($parts);
-	if (2 > count($parts)) {
-		exit();
-	}
-	if ('userfiles' != $parts[1]) {
-		exit();
-	}
-	if (in_array('..', $parts)) {
-		exit();
-	}
+  $path = (string)$path;
+  $parts = explode('/', $path);
+  array_shift($parts);
+
+  if (in_array('..', $parts)
+      || 2 > count($parts)
+      || !in_array('userfiles', $parts))
+    exit();
 }
 
 
@@ -64,7 +60,7 @@ if(!isset($_GET)) {
 } else {
   if(isset($_GET['mode']) && $_GET['mode']!='') {
     switch($_GET['mode']) {
-      	
+
       default:
 				opacTraversalProtect($_GET['path']);
         $fm->error($fm->lang('MODE_ERROR'));
@@ -78,7 +74,7 @@ if(!isset($_GET)) {
         break;
 
       case 'getfolder':
-				opacTraversalProtect($_GET['path']);        	
+				opacTraversalProtect($_GET['path']);
         if($fm->getvar('path')) {
           $response = $fm->getfolder();
         }
@@ -121,12 +117,12 @@ if(!isset($_GET)) {
 
   } else if(isset($_POST['mode']) && $_POST['mode']!='') {
     switch($_POST['mode']) {
-      	
+
       default:
 
         $fm->error($fm->lang('MODE_ERROR'));
         break;
-        	
+
       case 'add':
         if($fm->postvar('currentpath')) {
 					opacTraversalProtect($_POST['currentpath']);