Add protection for unauthorized file access to all fallback-based pat…

…hs and allow symlinks for inlinecss directive.
OpenMage · Sep 17, 2018 · 9b495d1 · 9b495d1
1 parent 8551b3d
commit 9b495d1
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/app/code/core/Mage/Core/Model/Design/Package.php b/app/code/core/Mage/Core/Model/Design/Package.php
@@ -436,10 +436,18 @@ protected function _fallback($file, array &$params, array $fallbackScheme = arra
      * @param string $file
      * @param array $params
      * @return string
+     * @throws Exception
      */
     public function getFilename($file, array $params)
     {
         Varien_Profiler::start(__METHOD__);
+
+        // Prevent reading files outside of the proper directory while still allowing symlinked files
+        if (strpos($file, '..') !== false) {
+            Mage::log(sprintf('Invalid path requested: %s (params: %s)', $file, json_encode($params)), Zend_Log::ERR);
+            throw new Exception('Invalid path requested.');
+        }
+
         $this->updateParamDefaults($params);
         $result = $this->_fallback(
             $file,
@@ -478,10 +486,18 @@ public function getLocaleFileName($file, array $params=array())
      * @param string $file
      * @param array $params
      * @return string
+     * @throws Exception
      */
     public function getSkinUrl($file = null, array $params = array())
     {
         Varien_Profiler::start(__METHOD__);
+
+        // Prevent reading files outside of the proper directory while still allowing symlinked files
+        if (strpos($file, '..') !== false) {
+            Mage::log(sprintf('Invalid path requested: %s (params: %s)', $file, json_encode($params)), Zend_Log::ERR);
+            throw new Exception('Invalid path requested.');
+        }
+
         if (empty($params['_type'])) {
             $params['_type'] = 'skin';
         }

diff --git a/app/code/core/Mage/Core/Model/Email/Template/Abstract.php b/app/code/core/Mage/Core/Model/Email/Template/Abstract.php
@@ -235,11 +235,9 @@ protected function _getCssFileContent($filename)
                 '_theme' => $theme,
             )
         );
-        $filePath = realpath($filePath);
-        $positionSkinDirectory = strpos($filePath, Mage::getBaseDir('skin'));
         $validator = new Zend_Validate_File_Extension('css');
 
-        if ($validator->isValid($filePath) && $positionSkinDirectory !== false && is_readable($filePath)) {
+        if ($validator->isValid($filePath) && is_readable($filePath)) {
             return (string) file_get_contents($filePath);
         }