Only load dashlets classes with .php extension

Pascal Dreissen · Pascal Dreissen · commit 1571ad8e2431 · 2018-02-22T20:55:35.000+01:00
diff --git a/interface/web/dashboard/dashboard.php b/interface/web/dashboard/dashboard.php
@@ -160,10 +160,13 @@
 $handle = @opendir(ISPC_WEB_PATH.'/dashboard/dashlets');
 while ($file = @readdir($handle)) {
 	if ($file != '.' && $file != '..' && !is_dir(ISPC_WEB_PATH.'/dashboard/dashlets/'.$file)) {
-		$dashlet_name = substr($file, 0, -4);
-		$dashlet_class = 'dashlet_'.$dashlet_name;
-		include_once ISPC_WEB_PATH.'/dashboard/dashlets/'.$file;
-		$dashlet_list[$dashlet_name] = new $dashlet_class;
+		$splitfilename = explode('.', $file);
+		if (end($splitfilename) == 'php') { // only allow .php files 
+			$dashlet_name = substr($file, 0, -4);
+			$dashlet_class = 'dashlet_'.$dashlet_name;
+			include_once ISPC_WEB_PATH.'/dashboard/dashlets/'.$file;
+			$dashlet_list[$dashlet_name] = new $dashlet_class;
+		}
 	}
 }
 
