mirror_php/winter
1
0
Fork 0
mirror of https://github.com/wintercms/winter.git synced 2024-06-28 05:33:29 +02:00
Code Issues Projects Releases Wiki Activity

Use new PathResolver methods for handling file Asset / Object paths

Browse Source
This commit is contained in:
Ben Thomson 2020-08-13 12:48:07 +08:00
parent cdb8acd214
commit 3a1f547adb
No known key found for this signature in database
GPG Key ID: E2B9C73B52D15AA0
2 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/cms/classes/Asset.php
View File

@ -4,10 +4,11 @@ use File;
use Lang;
use Config;
use Request;
use Cms\Helpers\File as FileHelper;
use October\Rain\Extension\Extendable;
use ApplicationException;
use ValidationException;
use Cms\Helpers\File as FileHelper;
use October\Rain\Extension\Extendable;
use October\Rain\Filesystem\PathResolver;
/**
* The CMS theme asset file class.
@ -287,14 +288,13 @@ class Asset extends Extendable
$directory = $this->theme->getPath() . '/' . $this->dirName . '/';
$filePath = $directory . $fileName;
$resolvedPath = resolve_path($filePath);
// Limit paths to those under the theme's assets directory
if (!starts_with($resolvedPath, $directory)) {
if (!PathResolver::within($filePath, $directory)) {
return false;
}
return $resolvedPath;
return PathResolver::resolve($filePath);
}
/**

14
modules/cms/classes/CmsObject.php
View File

@ -4,11 +4,12 @@ use App;
use Lang;
use Event;
use Config;
use October\Rain\Halcyon\Model as HalcyonModel;
use Cms\Contracts\CmsObject as CmsObjectContract;
use ApplicationException;
use ValidationException;
use Exception;
use ValidationException;
use ApplicationException;
use Cms\Contracts\CmsObject as CmsObjectContract;
use October\Rain\Filesystem\PathResolver;
use October\Rain\Halcyon\Model as HalcyonModel;
/**
* This is a base class for all CMS objects - content files, pages, partials and layouts.
@ -229,14 +230,13 @@ class CmsObject extends HalcyonModel implements CmsObjectContract
$directory = $this->theme->getPath() . '/' . $this->getObjectTypeDirName() . '/';
$filePath = $directory . $fileName;
$resolvedPath = resolve_path($filePath);
// Limit paths to those under the corresponding theme directory
if (!starts_with($resolvedPath, $directory)) {
if (!PathResolver::within($filePath, $directory)) {
return false;
}
return $resolvedPath;
return PathResolver::resolve($filePath);
}
/**