Diffusion Phabricator 2037979142cb

Prevent Phame blogs from using invalid skins
2037979142cb
Actions

Description

Prevent Phame blogs from using invalid skins

Summary: Via HackerOne. An attacker with access to both Phame and the filesystem could potentially load a skin that lives outside of the configured skin directories, because we had insufficient checks on the actual skin at load time.

Test Plan: Attempted to build a blog with an invalid skin; got an exception instead of a mis-load of a sketchy skin.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D10992

Details

Provenance

epriestley	Authored on
epriestley	Pushed on Dec 15 2014, 6:41 PM

Reviewer

btrahan

Differential Revision

D10992: Prevent Phame blogs from using invalid skins

Parents

rP2a9db94ba6e9: Restore Maniphest subscriber transaction mail tag

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley committed rP2037979142cb: Prevent Phame blogs from using invalid skins (authored by epriestley).Dec 15 2014, 6:41 PM

Changes (1)

Path

Size

src/

applications/

phame/

skins/

PhameSkinSpecification.php

rP2037979142cb

View Options

src/applications/phame/skins/PhameSkinSpecification.php