Rollback for Build 462

This change should be revisited since it doesn't account for database-based templates which have no file path. Upon revisit, we might want to consider adding this logic in to the afterFetch() event with detection of file based mode, or even at the lower levels where the file is first extracted from the filesystem. TBA
2019-12-19 17:42:25 +11:00 · 2019-12-19 17:42:25 +11:00 · cbc620c3e8
parent 9bfdf6236b
commit cbc620c3e8
2 changed files with 0 additions and 29 deletions
--- a/modules/cms/classes/Controller.php
+++ b/modules/cms/classes/Controller.php
@ -1030,15 +1030,6 @@ class Controller
            return false;
        }

-        /*
-         * Security check
-         */
-        if (!\Cms\Helpers\File::validateIsLocalFile($partial->getFilePath())) {
-            throw new CmsException(Lang::get('cms::lang.cms_object.invalid_file', [
-                'name' => $partial->getFileName()
-            ]));
-        }
-
        /*
         * Run functions for CMS partials only (Cms\Classes\Partial)
         */
--- a/modules/cms/helpers/File.php
+++ b/modules/cms/helpers/File.php
@ -71,24 +71,4 @@ class File

        return true;
    }
-
-    /**
-     * Validates a CMS object path is inside the application's base directory.
-     * @param string $filePath Specifies a path to validate
-     * @return boolean Returns true if the file path is local. Otherwise returns false.
-     */
-    public static function validateIsLocalFile($filePath)
-    {
-        $restrictBaseDir = Config::get('cms.restrictBaseDir', true);
-
-        if ($restrictBaseDir && !Filesystem::isLocalPath($filePath)) {
-            return false;
-        }
-
-        if (!$restrictBaseDir && realpath($filePath) === false) {
-            return false;
-        }
-
-        return true;
-    }
 }