harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

purify user-supplied filenames in some cases. Probably not needed but it's the right thing to do.

Browse Source
This commit is contained in:
zotlabs 2017-10-09 15:13:25 -07:00
parent 23812e5b48
commit 623dfa1384
3 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Zotlabs/Render/Comanche.php
View File

@ -457,6 +457,9 @@ class Comanche {
} }
} }
if(! purify_filename($name))
return ''
$clsname = ucfirst($name); $clsname = ucfirst($name);
$nsname = "\\Zotlabs\\Widget\\" . $clsname; $nsname = "\\Zotlabs\\Widget\\" . $clsname;

4
include/nav.php
View File

@ -275,8 +275,8 @@ EOT;
} }
} }
$c = theme_include('navbar_' . $template . '.css'); $c = theme_include('navbar_' . purify_filename($template) . '.css');
$tpl = get_markup_template('navbar_' . $template . '.tpl'); $tpl = get_markup_template('navbar_' . purify_filename($template) . '.tpl');
if($c && $tpl) { if($c && $tpl) {
head_add_css('navbar_' . $template . '.css'); head_add_css('navbar_' . $template . '.css');

6
include/text.php
View File

@ -3156,3 +3156,9 @@ function ellipsify($s,$maxlen) {
return mb_substr($s,0,$maxlen / 2) . '...' . mb_substr($s,mb_strlen($s) - ($maxlen / 2)); return mb_substr($s,0,$maxlen / 2) . '...' . mb_substr($s,mb_strlen($s) - ($maxlen / 2));
} }
function purify_filename($s) {
if(($s[0] === '.') || strpos($s,'/') !== false)
return '';
return $s;
}