From bf0ad4b4ce561d7d66045f16e27cff4cfaaba16e Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Wed, 23 Feb 2022 17:18:16 +0100
Subject: [PATCH] Only serve existing static library assets, really!?

---
 .../Icinga/Web/Controller/StaticController.php  | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/library/Icinga/Web/Controller/StaticController.php b/library/Icinga/Web/Controller/StaticController.php
index 7c06dfedb..2d65baf6d 100644
--- a/library/Icinga/Web/Controller/StaticController.php
+++ b/library/Icinga/Web/Controller/StaticController.php
@@ -39,10 +39,21 @@ class StaticController
         }
 
         $assetRoot = $library->getStaticAssetPath();
-        $filePath = $assetRoot . DIRECTORY_SEPARATOR . $assetPath;
+        if (empty($assetRoot)) {
+            $app->getResponse()
+                ->setHttpResponseCode(404);
 
-        // Doesn't use realpath as it isn't supposed to access files outside asset/static
-        if (! is_readable($filePath) || ! is_file($filePath)) {
+            return;
+        }
+
+        $filePath = $assetRoot . DIRECTORY_SEPARATOR . $assetPath;
+        $dirPath = realpath(dirname($filePath)); // dirname, because the file may be a link
+
+        if (
+            $dirPath === false
+            || substr($dirPath, 0, strlen($assetRoot)) !== $assetRoot
+            || ! is_file($filePath)
+        ) {
             $app->getResponse()
                 ->setHttpResponseCode(404);