Prevent Phame blogs from using invalid skins
ClosedPublic
Actions

Authored by epriestley on Dec 15 2014, 6:26 PM.

Details

Reviewers

Commits

Restricted Diffusion Commit
rP2037979142cb: Prevent Phame blogs from using invalid skins

Summary

Via HackerOne. An attacker with access to both Phame and the filesystem could potentially load a skin that lives outside of the configured skin directories, because we had insufficient checks on the actual skin at load time.

Test Plan

Attempted to build a blog with an invalid skin; got an exception instead of a mis-load of a sketchy skin.

Diff Detail

Repository

rP Phabricator

Branch

phame1

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 3262
Build 3268: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

epriestley updated this revision to Diff 26388.Dec 15 2014, 6:26 PM

epriestley retitled this revision from to Prevent Phame blogs from using invalid skins.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added a reviewer: btrahan.

Herald added a subscriber: epriestley. · View Herald TranscriptDec 15 2014, 6:26 PM

btrahan accepted this revision.Dec 15 2014, 6:41 PM

btrahan edited edge metadata.

This revision is now accepted and ready to land.Dec 15 2014, 6:41 PM

Closed by commit rP2037979142cb: Prevent Phame blogs from using invalid skins (authored by epriestley, committed by epriestley). · Explain WhyDec 15 2014, 6:41 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

phame/

skins/

PhameSkinSpecification.php

24 lines

Diff 26388

View Options

src/applications/phame/skins/PhameSkinSpecification.php

Prevent Phame blogs from using invalid skinsClosedPublicActions