From 2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc Mon Sep 17 00:00:00 2001
From: Luke Towers <github@luketowers.ca>
Date: Tue, 31 Mar 2020 03:37:31 -0600
Subject: [PATCH] Improve asset file path handling

---
 modules/cms/classes/Asset.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/cms/classes/Asset.php b/modules/cms/classes/Asset.php
index c0920752f..1073f8ed8 100644
--- a/modules/cms/classes/Asset.php
+++ b/modules/cms/classes/Asset.php
@@ -285,7 +285,14 @@ class Asset extends Extendable
             $fileName = $this->fileName;
         }
 
-        return $this->theme->getPath().'/'.$this->dirName.'/'.$fileName;
+        // Limit paths to those under the assets directory
+        $directory = $this->theme->getPath() . '/' . $this->dirName . '/';
+        $path = realpath($directory . $fileName);
+        if (!starts_with($path, $directory)) {
+            return false;
+        }
+
+        return $path;
     }
 
     /**