Fixed directory traversal issues.

diff --git a/admin/inst_module.php b/admin/inst_module.php
index f92d2c56aef4d53ae7ddf5de89a39818a00c6b0c..77a16cbd5ba85b1536fa8676b49ffa56a7fa1889 100644 (file)
--- a/admin/inst_module.php
+++ b/admin/inst_module.php
@@ -42,8 +42,8 @@ function local_extension($id)
                        'active' => false
        );
 
-       if (file_exists($path_to_root.'/modules/'.$id.'/hooks.php')) {
-               include_once($path_to_root.'/modules/'.$id.'/hooks.php');
+       if (file_exists($path_to_root.'/modules/'.clean_file_name($id).'/hooks.php')) {
+               include_once($path_to_root.'/modules/'.clean_file_name($id).'/hooks.php');
        }
        $hooks_class = 'hooks_'.$id;
        if (class_exists($hooks_class, false)) {

diff --git a/includes/hooks.inc b/includes/hooks.inc
index ab2d2bdc6af5b1cb00f193e5fb1158c603f6c6b8..71717fc154202a4071612a4060bb428b3f371e6b 100644 (file)
--- a/includes/hooks.inc
+++ b/includes/hooks.inc
@@ -225,9 +225,10 @@ function install_hooks()
        $Hooks = array();
        
        // include current language related $Hooks object if locale file exists
-       if (file_exists($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc"))
+       $lang_code  = clean_file_name($_SESSION['language']->code);
+       if (file_exists($path_to_root . "/lang/" . $lang_code . "/locale.inc"))
        {
-               include_once($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc");
+               include_once($path_to_root . "/lang/" . $lang_code . "/locale.inc");
                $code = $_SESSION['language']->code;
                $hook_class = 'hooks_'.$code;
                $Hooks[$code] = new $hook_class;