From 7a4d1d990e47e5969eb2e3e289ee7e1b6e86d6fe Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 21 Apr 2015 11:41:21 +0200
Subject: [PATCH] Fix security hole

---
 htdocs/filefunc.inc.php | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index 13b2d8d1669..a5fdcbd24d3 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -67,12 +67,15 @@ $conffiletoshow = "htdocs/conf/conf.php";
 //$conffile = "/etc/dolibarr/conf.php";
 //$conffiletoshow = "/etc/dolibarr/conf.php";
 
-//replace conf filename with "conf" parameter on url by GET
-if (!empty($_GET['conf'])) {
-    setcookie('dolconf', $_GET['conf'],0,'/');
-    $conffile = 'conf/' . $_GET['conf'] . '.php';
+// Replace conf filename with "conf" parameter on url by GET
+if (! empty($_GET['conf']))
+{
+	$confname=basename($_GET['conf']);
+    setcookie('dolconf', $confname, 0, '/');
+    $conffile = 'conf/'.$confname.'.php';
 } else {
-    $conffile = 'conf/' . (!empty($_COOKIE['dolconf']) ? $_COOKIE['dolconf'] : 'conf') . '.php';
+	$confname=basename(empty($_COOKIE['dolconf']) ? 'conf' : $_COOKIE['dolconf']);
+	$conffile = 'conf/'.$confname.'.php';
 }