Check that the animal is actually inside the farm

This makes sure that the animal that is specified in the URL is actually
a subdirectory inside the farm and not somewhere else in the system.
This allows that the animals are organized in different subdirectories
for more complicated farm setups.

inc/farm.php

@@ -46,6 +46,9 @@ function conf_path($farm) {
     if(isset($_REQUEST['animal']) || ('cli' == php_sapi_name() && isset($_SERVER['animal']))) {
         $mode = isset($_REQUEST['animal']) ? 'htaccess' : 'cli';
         $animal = $mode == 'htaccess' ? $_REQUEST['animal'] : $_SERVER['animal'];
+        // check that $animal specifies a subdirectory of $farm
+        if (strpos(fullpath($farm.'/'.$animal), fullpath($farm).'/') !== 0)
+            nice_die('Sorry! Invalid Wiki name!');
         if(!is_dir($farm.'/'.$animal))
             nice_die("Sorry! This Wiki doesn't exist!");
         if(!defined('DOKU_FARM')) define('DOKU_FARM', $mode);