From 8551b3d3e653172d5b76110747de806c7fc81654 Mon Sep 17 00:00:00 2001
From: Colin Mollenhour <colin@mollenhour.com>
Date: Wed, 31 Jan 2018 10:26:43 -0500
Subject: [PATCH] Support symlinks while not allowing malicious template paths.

---
 app/code/core/Mage/Core/Block/Template.php        | 15 +++++++++------
 .../Mage/Page/Block/Html/Topmenu/Renderer.php     |  2 +-
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/app/code/core/Mage/Core/Block/Template.php b/app/code/core/Mage/Core/Block/Template.php
index 7e277b0a96b..bb84bf6bebb 100644
--- a/app/code/core/Mage/Core/Block/Template.php
+++ b/app/code/core/Mage/Core/Block/Template.php
@@ -167,8 +167,7 @@ public function assign($key, $value=null)
      */
     public function setScriptPath($dir)
     {
-        $scriptPath = realpath($dir);
-        if (strpos($scriptPath, realpath(Mage::getBaseDir('design'))) === 0 || $this->_getAllowSymlinks()) {
+        if (strpos($dir, '..') === FALSE && ($dir === Mage::getBaseDir('design') || strpos(realpath($dir), realpath(Mage::getBaseDir('design'))) === 0)) {
             $this->_viewDir = $dir;
         } else {
             Mage::log('Not valid script path:' . $dir, Zend_Log::CRIT, null, null, true);
@@ -236,9 +235,12 @@ public function fetchView($fileName)
         }
 
         try {
-            $includeFilePath = realpath($this->_viewDir . DS . $fileName);
-            if ($includeFilePath != '' && (strpos($includeFilePath, realpath($this->_viewDir)) === 0 || $this->_getAllowSymlinks())) {
-                include $includeFilePath;
+            if (
+                strpos($this->_viewDir . DS . $fileName, '..') === FALSE
+                &&
+                ($this->_viewDir == Mage::getBaseDir('design') || strpos(realpath($this->_viewDir), realpath(Mage::getBaseDir('design'))) === 0)
+            ) {
+                include $this->_viewDir . DS . $fileName;
             } else {
                 $thisClass = get_class($this);
                 Mage::log('Not valid template file:' . $fileName . ' class: ' . $thisClass, Zend_Log::CRIT, null, true);
@@ -345,8 +347,9 @@ public function getCacheKeyInfo()
     }
 
     /**
-     * Get is allowed symliks flag
+     * Get is allowed symlinks flag
      *
+     * @deprecated
      * @return bool
      */
     protected function _getAllowSymlinks()
diff --git a/app/code/core/Mage/Page/Block/Html/Topmenu/Renderer.php b/app/code/core/Mage/Page/Block/Html/Topmenu/Renderer.php
index 36729fd1bc7..ab453fe3aae 100644
--- a/app/code/core/Mage/Page/Block/Html/Topmenu/Renderer.php
+++ b/app/code/core/Mage/Page/Block/Html/Topmenu/Renderer.php
@@ -50,7 +50,7 @@ protected function _toHtml()
         }
 
         $includeFilePath = realpath(Mage::getBaseDir('design') . DS . $this->getTemplateFile());
-        if (strpos($includeFilePath, realpath(Mage::getBaseDir('design'))) === 0 || $this->_getAllowSymlinks()) {
+        if (strpos($this->getTemplateFile(), '..') === FALSE) {
             $this->_templateFile = $includeFilePath;
         } else {
             throw new Exception('Not valid template file:' . $this->_templateFile);