Merge pull request from GHSA-5p3f-rh28-8frw

Only serve existing static library assets, really!?
2022-03-08 12:01:34 +01:00 · 2022-03-08 12:01:34 +01:00 · b7c31eb922
parent 26d8b2a051 379ddb91f0
commit b7c31eb922
1 changed files with 14 additions and 3 deletions
--- a/library/Icinga/Web/Controller/StaticController.php
+++ b/library/Icinga/Web/Controller/StaticController.php
@ -39,10 +39,21 @@ class StaticController
        }

        $assetRoot = $library->getStaticAssetPath();
-        $filePath = $assetRoot . DIRECTORY_SEPARATOR . $assetPath;
+        if (empty($assetRoot)) {
+            $app->getResponse()
+                ->setHttpResponseCode(404);

-        // Doesn't use realpath as it isn't supposed to access files outside asset/static
-        if (! is_readable($filePath) || ! is_file($filePath)) {
+            return;
+        }
+
+        $filePath = $assetRoot . DIRECTORY_SEPARATOR . $assetPath;
+        $dirPath = realpath(dirname($filePath)); // dirname, because the file may be a link
+
+        if (
+            $dirPath === false
+            || substr($dirPath, 0, strlen($assetRoot)) !== $assetRoot
+            || ! is_file($filePath)
+        ) {
            $app->getResponse()
                ->setHttpResponseCode(404);