TPS
/
ORIENT
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve asset file path handling

This commit is contained in:
Luke Towers 2020-03-31 03:37:31 -06:00
parent a9b4a5b2c7
commit 2b8939cc8b
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/cms/classes/Asset.php
View File

@ -285,7 +285,14 @@ class Asset extends Extendable
$fileName = $this->fileName;
}
return $this->theme->getPath().'/'.$this->dirName.'/'.$fileName;
// Limit paths to those under the assets directory
$directory = $this->theme->getPath() . '/' . $this->dirName . '/';
$path = realpath($directory . $fileName);
if (!starts_with($path, $directory)) {
return false;
}
return $path;
}
/**