TPS
/
ORIENT
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add config flag for disabling basedir restrictions for local development only (#3626) 

Fixes #3619. Credit to @lthurston
This commit is contained in:
Lucas Thurston 2018-07-05 14:07:38 -07:00 committed by Luke Towers
parent c55a7cd2e2
commit 85dd0b9968
3 changed files with 31 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
config/cms.php
View File

@ -362,4 +362,23 @@ return [
'enableTwigStrictVariables' => false, 'enableTwigStrictVariables' => false,
/*
|--------------------------------------------------------------------------
| Base Directory Restriction
|--------------------------------------------------------------------------
|
| Restricts loading backend template and config files to within the base
| directory of the application.
|
| WARNING: This should always be enabled for security reasons. However, in
| some cases you may need to disable this; for instance when developing
| plugins that are stored elsewhere in the filesystem for organizational
| reasons and then symlinked into the application plugins/ directory.
|
| NEVER have this disabled in production.
|
*/
'restrictBaseDir' => true,
]; ];

5
modules/system/traits/ConfigMaker.php
View File

@ -7,6 +7,7 @@ use Event;
use SystemException; use SystemException;
use Backend\Classes\Controller; use Backend\Classes\Controller;
use stdClass; use stdClass;
use Config;
/** /**
* Config Maker Trait * Config Maker Trait
@ -141,7 +142,9 @@ trait ConfigMaker
$fileName = File::symbolizePath($fileName); $fileName = File::symbolizePath($fileName);
if (File::isLocalPath($fileName)) { if (File::isLocalPath($fileName) ||
(!Config::get('cms.restrictBaseDir', true) && realpath($fileName) !== false)
) {
return $fileName; return $fileName;
} }

10
modules/system/traits/ViewMaker.php
View File

@ -8,6 +8,7 @@ use SystemException;
use Exception; use Exception;
use Throwable; use Throwable;
use Symfony\Component\Debug\Exception\FatalThrowableError; use Symfony\Component\Debug\Exception\FatalThrowableError;
use Config;
/** /**
* View Maker Trait * View Maker Trait
@ -194,7 +195,9 @@ trait ViewMaker
$fileName = File::symbolizePath($fileName); $fileName = File::symbolizePath($fileName);
if (File::isLocalPath($fileName)) { if (File::isLocalPath($fileName) ||
(!Config::get('cms.restrictBaseDir', true) && realpath($fileName) !== false)
) {
return $fileName; return $fileName;
} }
@ -221,7 +224,10 @@ trait ViewMaker
*/ */
public function makeFileContents($filePath, $extraParams = []) public function makeFileContents($filePath, $extraParams = [])
{ {
if (!strlen($filePath) || !File::isFile($filePath) || !File::isLocalPath($filePath)) { if (!strlen($filePath) ||
!File::isFile($filePath) ||
(!File::isLocalPath($filePath) && Config::get('cms.restrictBaseDir', true))
) {
return ''; return '';
} }