diff --git a/modules/backend/classes/Controller.php b/modules/backend/classes/Controller.php
index 214bf777d..24f0b6663 100644
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@@ -391,7 +391,6 @@ class Controller extends Extendable
*/
protected function execAjaxHandlers()
{
-
if ($handler = $this->getAjaxHandler()) {
try {
/*
@@ -406,6 +405,12 @@ class Controller extends Extendable
*/
if ($partialList = trim(Request::header('X_OCTOBER_REQUEST_PARTIALS'))) {
$partialList = explode('&', $partialList);
+
+ foreach ($partialList as $partial) {
+ if (!preg_match('/^(?!.*\/\/)[a-z0-9\_][a-z0-9\_\-\/]*$/i', $partial)) {
+ throw new SystemException(Lang::get('cms::lang.partial.invalid_name', ['name'=>$partial]));
+ }
+ }
}
else {
$partialList = [];
diff --git a/modules/backend/layouts/auth.htm b/modules/backend/layouts/auth.htm
index 530ffc77a..228c25322 100644
--- a/modules/backend/layouts/auth.htm
+++ b/modules/backend/layouts/auth.htm
@@ -16,6 +16,7 @@
+
makeAssets() ?>
makeLayoutPartial('custom_styles') ?>
diff --git a/modules/backend/widgets/MediaManager.php b/modules/backend/widgets/MediaManager.php
index 7cb75f0dd..2d35b29bc 100644
--- a/modules/backend/widgets/MediaManager.php
+++ b/modules/backend/widgets/MediaManager.php
@@ -335,14 +335,6 @@ class MediaManager extends WidgetBase
}
$originalPath = Input::get('originalPath');
-
- $segments = explode('/', $originalPath);
- $regexPath = $segments[count($segments)-1];
-
- if($originalPath != '/' && !$this->validateFileName($regexPath)) {
- throw new ApplicationException(Lang::get('system::lang.media.invalid_path', compact('originalPath')));
- }
-
$originalPath = MediaLibrary::validatePath($originalPath);
$newPath = dirname($originalPath).'/'.$newName;
$type = Input::get('type');
@@ -394,14 +386,6 @@ class MediaManager extends WidgetBase
}
$path = Input::get('path');
-
- $segments = explode('/', $path);
- $regexPath = $segments[count($segments)-1];
-
- if($path != '/' && !$this->validateFileName($regexPath)) {
- throw new ApplicationException(Lang::get('system::lang.media.invalid_path', compact('path')));
- }
-
$path = MediaLibrary::validatePath($path);
$newFolderPath = $path.'/'.$name;
diff --git a/modules/cms/classes/Theme.php b/modules/cms/classes/Theme.php
index 8e7c29070..e6ae6c64f 100644
--- a/modules/cms/classes/Theme.php
+++ b/modules/cms/classes/Theme.php
@@ -340,7 +340,7 @@ class Theme
if (is_string($result)) {
$fileName = File::symbolizePath($result);
- if (File::isLocalPath($fileName) || realpath($fileName) !== false) {
+ if (File::isLocalPath($fileName)) {
$path = $fileName;
}
else {
diff --git a/modules/system/classes/MediaLibrary.php b/modules/system/classes/MediaLibrary.php
index 30505dfcf..64a6b2783 100644
--- a/modules/system/classes/MediaLibrary.php
+++ b/modules/system/classes/MediaLibrary.php
@@ -472,21 +472,28 @@ class MediaLibrary
return $path;
}
+ /*
+ * Validate folder names
+ */
+ if (!preg_match('/^[0-9a-z@\.\s_\-\/]+$/i', $path)) {
+ throw new ApplicationException(Lang::get('system::lang.media.invalid_path', compact('path')));
+ }
+
$regexDirectorySeparator = preg_quote('/', '#');
$regexDot = preg_quote('.', '#');
$regex = [
- // Checks for parent or current directory reference at beginning of path
+ // Beginning of path
'(^'.$regexDot.'+?'.$regexDirectorySeparator.')',
- // Check for parent or current directory reference in middle of path
+ // Middle of path
'('.$regexDirectorySeparator.$regexDot.'+?'.$regexDirectorySeparator.')',
- // Check for parent or current directory reference at end of path
+ // End of path
'('.$regexDirectorySeparator.$regexDot.'+?$)',
];
/*
- * Combine everything to one regex
+ * Validate invalid paths
*/
$regex = '#'.implode('|', $regex).'#';
if (preg_match($regex, $path) !== 0 || strpos($path, '//') !== false) {
diff --git a/modules/system/traits/ConfigMaker.php b/modules/system/traits/ConfigMaker.php
index 80094e318..ff9a3e65c 100644
--- a/modules/system/traits/ConfigMaker.php
+++ b/modules/system/traits/ConfigMaker.php
@@ -141,7 +141,7 @@ trait ConfigMaker
$fileName = File::symbolizePath($fileName);
- if (File::isLocalPath($fileName) || realpath($fileName) !== false) {
+ if (File::isLocalPath($fileName)) {
return $fileName;
}
diff --git a/modules/system/traits/ViewMaker.php b/modules/system/traits/ViewMaker.php
index cc1f80b45..e1883bf69 100644
--- a/modules/system/traits/ViewMaker.php
+++ b/modules/system/traits/ViewMaker.php
@@ -194,7 +194,7 @@ trait ViewMaker
$fileName = File::symbolizePath($fileName);
- if (File::isLocalPath($fileName) || realpath($fileName) !== false) {
+ if (File::isLocalPath($fileName)) {
return $fileName;
}
@@ -221,7 +221,7 @@ trait ViewMaker
*/
public function makeFileContents($filePath, $extraParams = [])
{
- if (!strlen($filePath) || !File::isFile($filePath)) {
+ if (!strlen($filePath) || !File::isFile($filePath) || !File::isLocalPath($filePath)) {
return '';
}
diff --git a/tests/unit/system/classes/MediaLibraryTest.php b/tests/unit/system/classes/MediaLibraryTest.php
index fc9400bb7..8adaaf54f 100644
--- a/tests/unit/system/classes/MediaLibraryTest.php
+++ b/tests/unit/system/classes/MediaLibraryTest.php
@@ -43,7 +43,6 @@ class MediaLibraryTest extends TestCase // @codingStandardsIgnoreLine
{
$this->expectException('ApplicationException');
MediaLibrary::validatePath($path);
-
}
/**