From cbc620c3e8e28b9f71362dc456748d568df4c771 Mon Sep 17 00:00:00 2001 From: Samuel Georges Date: Thu, 19 Dec 2019 17:42:25 +1100 Subject: [PATCH] Rollback for Build 462 This change should be revisited since it doesn't account for database-based templates which have no file path. Upon revisit, we might want to consider adding this logic in to the afterFetch() event with detection of file based mode, or even at the lower levels where the file is first extracted from the filesystem. TBA --- modules/cms/classes/Controller.php | 9 --------- modules/cms/helpers/File.php | 20 -------------------- 2 files changed, 29 deletions(-) diff --git a/modules/cms/classes/Controller.php b/modules/cms/classes/Controller.php index 74cb8e269..77237ed13 100644 --- a/modules/cms/classes/Controller.php +++ b/modules/cms/classes/Controller.php @@ -1030,15 +1030,6 @@ class Controller return false; } - /* - * Security check - */ - if (!\Cms\Helpers\File::validateIsLocalFile($partial->getFilePath())) { - throw new CmsException(Lang::get('cms::lang.cms_object.invalid_file', [ - 'name' => $partial->getFileName() - ])); - } - /* * Run functions for CMS partials only (Cms\Classes\Partial) */ diff --git a/modules/cms/helpers/File.php b/modules/cms/helpers/File.php index 83c39a85f..8849927e1 100644 --- a/modules/cms/helpers/File.php +++ b/modules/cms/helpers/File.php @@ -71,24 +71,4 @@ class File return true; } - - /** - * Validates a CMS object path is inside the application's base directory. - * @param string $filePath Specifies a path to validate - * @return boolean Returns true if the file path is local. Otherwise returns false. - */ - public static function validateIsLocalFile($filePath) - { - $restrictBaseDir = Config::get('cms.restrictBaseDir', true); - - if ($restrictBaseDir && !Filesystem::isLocalPath($filePath)) { - return false; - } - - if (!$restrictBaseDir && realpath($filePath) === false) { - return false; - } - - return true; - } }