From fc4aebae9800236928e8da5a25e0d9daba50972d Mon Sep 17 00:00:00 2001
From: Tobias Reich <tobias.reich.ich@gmail.com>
Date: Thu, 9 Oct 2014 18:37:03 +0200
Subject: [PATCH] Check filename before including for security reasons

---
 php/autoload.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/php/autoload.php b/php/autoload.php
index b2dae0c..34aa98d 100644
--- a/php/autoload.php
+++ b/php/autoload.php
@@ -10,6 +10,9 @@ if (!defined('LYCHEE')) exit('Error: Direct access is not allowed!');
 
 function lycheeAutoloaderModules($class_name) {
 
+	$modules = array('Album', 'Database', 'Import', 'Log', 'Module', 'Photo', 'Plugins', 'Session', 'Settings');
+	if (!in_array($class_name, $modules)) return false;
+
 	$file = LYCHEE . 'php/modules/' . $class_name . '.php';
 	if (file_exists($file)!==false) require $file;
 
@@ -17,6 +20,9 @@ function lycheeAutoloaderModules($class_name) {
 
 function lycheeAutoloaderAccess($class_name) {
 
+	$access = array('Access', 'Admin', 'Guest', 'Installation');
+	if (!in_array($class_name, $access)) return false;
+
 	$file = LYCHEE . 'php/access/' . $class_name . '.php';
 	if (file_exists($file)!==false) require $file;