Skip to content

Commit

Permalink
Support symlinks while not allowing malicious template paths.
Browse files Browse the repository at this point in the history
  • Loading branch information
@colinmollenhour
colinmollenhour committed Jan 31, 2018
1 parent 5577362 commit 8551b3d
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 7 deletions.
15 changes: 9 additions & 6 deletions app/code/core/Mage/Core/Block/Template.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,8 +167,7 @@ public function assign($key, $value=null)
*/
public function setScriptPath($dir)
{
$scriptPath = realpath($dir);
if (strpos($scriptPath, realpath(Mage::getBaseDir('design'))) === 0 || $this->_getAllowSymlinks()) {
if (strpos($dir, '..') === FALSE && ($dir === Mage::getBaseDir('design') || strpos(realpath($dir), realpath(Mage::getBaseDir('design'))) === 0)) {
$this->_viewDir = $dir;
} else {
Mage::log('Not valid script path:' . $dir, Zend_Log::CRIT, null, null, true);
Expand Down Expand Up @@ -236,9 +235,12 @@ public function fetchView($fileName)
}

try {
$includeFilePath = realpath($this->_viewDir . DS . $fileName);
if ($includeFilePath != '' && (strpos($includeFilePath, realpath($this->_viewDir)) === 0 || $this->_getAllowSymlinks())) {
include $includeFilePath;
if (
strpos($this->_viewDir . DS . $fileName, '..') === FALSE
&&
($this->_viewDir == Mage::getBaseDir('design') || strpos(realpath($this->_viewDir), realpath(Mage::getBaseDir('design'))) === 0)
) {
include $this->_viewDir . DS . $fileName;
} else {
$thisClass = get_class($this);
Mage::log('Not valid template file:' . $fileName . ' class: ' . $thisClass, Zend_Log::CRIT, null, true);
Expand Down Expand Up @@ -345,8 +347,9 @@ public function getCacheKeyInfo()
}

/**
* Get is allowed symliks flag
* Get is allowed symlinks flag
*
* @deprecated
* @return bool
*/
protected function _getAllowSymlinks()
Expand Down
2 changes: 1 addition & 1 deletion app/code/core/Mage/Page/Block/Html/Topmenu/Renderer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ protected function _toHtml()
}

$includeFilePath = realpath(Mage::getBaseDir('design') . DS . $this->getTemplateFile());
if (strpos($includeFilePath, realpath(Mage::getBaseDir('design'))) === 0 || $this->_getAllowSymlinks()) {
if (strpos($this->getTemplateFile(), '..') === FALSE) {
$this->_templateFile = $includeFilePath;
} else {
throw new Exception('Not valid template file:' . $this->_templateFile);
Expand Down

0 comments on commit 8551b3d

Please sign in to comment.