From 2c74da52a8e9f3b7b229ba361184822ced8ba90c Mon Sep 17 00:00:00 2001
From: roberttidey <robert@tideys.co.uk>
Date: Sun, 20 Feb 2022 21:53:33 +0000
Subject: [PATCH] security update

---
 README.md      |  2 +-
 www/config.php |  2 +-
 www/index.php  | 11 ++++++-----
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 8710354..0c7f174 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 Web based interface for controlling the Raspberry Pi Camera, includes motion detection, time lapse, and image and video recording.
-Current version 6.6.23
+Current version 6.6.24
 All information on this project can be found here: http://www.raspberrypi.org/forums/viewtopic.php?f=43&t=63276
 
 The wiki page can be found here:
diff --git a/www/config.php b/www/config.php
index 23c478d..70d3282 100755
--- a/www/config.php
+++ b/www/config.php
@@ -3,7 +3,7 @@
 	define('LBASE_DIR',dirname(__FILE__));
 	//Global defines and utility functions
 	// version string 
-	define('APP_VERSION', 'v6.6.23');
+	define('APP_VERSION', 'v6.6.24');
 
 	// name of this application
 	define('APP_NAME', 'RPi Cam Control');
diff --git a/www/index.php b/www/index.php
index 6a978ba..f91f38d 100644
--- a/www/index.php
+++ b/www/index.php
@@ -207,11 +207,12 @@ function simple_button() {
    }
 
    if (isset($_POST['extrastyle'])) {
-      if (file_exists('css/' . $_POST['extrastyle'])) {
-         $fp = fopen(BASE_DIR . '/css/extrastyle.txt', "w");
-         fwrite($fp, $_POST['extrastyle']);
-         fclose($fp);
-      }
+	  $extra = $_POST['extrastyle'];
+      if ((strpos($extra, '/') === false) && file_exists('css/' . $extra)) {
+		 $fp = fopen(BASE_DIR . '/css/extrastyle.txt', "w");
+		 fwrite($fp, $extra);
+		 fclose($fp);
+	  }
    }
 
    function getDisplayStyle($context, $userLevel) {