Page MenuHomePhabricator
Files F15463117

D10992.diff
No OneTemporary
Actions

D10992.diff
View Options

diff --git a/src/applications/phame/skins/PhameSkinSpecification.php b/src/applications/phame/skins/PhameSkinSpecification.php
--- a/src/applications/phame/skins/PhameSkinSpecification.php
+++ b/src/applications/phame/skins/PhameSkinSpecification.php
@@ -56,12 +56,32 @@
}
public static function loadOneSkinSpecification($name) {
+ // Only allow skins which we know to exist to load. This prevents loading
+ // skins like "../../secrets/evil/".
+ $all = self::loadAllSkinSpecifications();
+ if (empty($all[$name])) {
+ throw new Exception(
+ pht(
+ 'Blog skin "%s" is not a valid skin!',
+ $name));
+ }
+
$paths = PhabricatorEnv::getEnvConfig('phame.skins');
- $base = dirname(phutil_get_library_root('phabricator'));
+ $base = dirname(phutil_get_library_root('phabricator'));
foreach ($paths as $path) {
$path = Filesystem::resolvePath($path, $base);
$skin_path = $path.DIRECTORY_SEPARATOR.$name;
if (is_dir($skin_path)) {
+
+ // Double check that the skin really lives in the skin directory.
+ if (!Filesystem::isDescendant($skin_path, $path)) {
+ throw new Exception(
+ pht(
+ 'Blog skin "%s" is not located in path "%s"!',
+ $name,
+ $path));
+ }
+
$spec = self::loadSkinSpecification($skin_path);
if ($spec) {
$spec->setName($name);
@@ -72,7 +92,7 @@
return null;
}
- public static function loadSkinSpecification($path) {
+ private static function loadSkinSpecification($path) {
$config_path = $path.DIRECTORY_SEPARATOR.'skin.json';
$config = array();

File Metadata

Mime Type
text/plain
Expires
Wed, Apr 2, 8:27 PM (2 d, 10 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7225003
Default Alt Text
D10992.diff (1 KB)

Event Timeline

Phabricator · Built by Phacility