From e0b6aade22fd35d4c2d514a1f30342983b1fb352 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 29 Jan 2016 12:50:24 +0100
Subject: [PATCH] do not accept empty or root $base in search. fixes #1452

You really never want to search the whole filesystem, so something must
have gone wrong. Better abort than go on.
---
 inc/search.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/inc/search.php b/inc/search.php
index 935969d3f..cc3579c3c 100644
--- a/inc/search.php
+++ b/inc/search.php
@@ -28,6 +28,11 @@ function search(&$data,$base,$func,$opts,$dir='',$lvl=1,$sort='natural'){
     $files  = array();
     $filepaths = array();
 
+    // safeguard against runaways #1452
+    if($base == '' || $base == '/') {
+        throw new RuntimeException('No valid $base passed to search() - possible misconfiguration or bug');
+    }
+
     //read in directories and files
     $dh = @opendir($base.'/'.$dir);
     if(!$dh) return;
-- 
GitLab