From 44b53fd82f813ca456b101d22fc8c7b31f447243 Mon Sep 17 00:00:00 2001
From: Ashley Holman <ashley@netspot.com.au>
Date: Thu, 4 Jun 2009 13:39:15 +0930
Subject: [PATCH] WebDAV: add proper security checks to the PROPFIND method

---
 webdav/server/moodledata.class.php |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/webdav/server/moodledata.class.php b/webdav/server/moodledata.class.php
index 71e01be..e345de1 100644
--- a/webdav/server/moodledata.class.php
+++ b/webdav/server/moodledata.class.php
@@ -226,7 +226,12 @@ class HTTP_WebDAV_Server_Moodledata extends HTTP_WebDAV_Server
     {
         // get absolute fs path to requested resource
         $fspath = $this->base . $this->_cleanpath($options["path"]);
-            
+
+        // Is this real path allowed?
+        if (!$this->_fspathallowed($fspath)) {
+            return false;
+        }
+
         // sanity check
         if (!file_exists($fspath)) {
             return false;
-- 
1.6.0.6