tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from GHSA-5p3f-rh28-8frw 

Only serve existing static library assets, really!?
This commit is contained in:
Johannes Meyer 2022-03-08 12:01:34 +01:00 committed by GitHub
parent 26d8b2a051 379ddb91f0
commit b7c31eb922
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
library/Icinga/Web/Controller/StaticController.php
View File

@ -39,10 +39,21 @@ class StaticController
} }
$assetRoot = $library->getStaticAssetPath(); $assetRoot = $library->getStaticAssetPath();
$filePath = $assetRoot . DIRECTORY_SEPARATOR . $assetPath; if (empty($assetRoot)) {
$app->getResponse()
->setHttpResponseCode(404);
// Doesn't use realpath as it isn't supposed to access files outside asset/static return;
if (! is_readable($filePath) || ! is_file($filePath)) { }
$filePath = $assetRoot . DIRECTORY_SEPARATOR . $assetPath;
$dirPath = realpath(dirname($filePath)); // dirname, because the file may be a link
if (
$dirPath === false
|| substr($dirPath, 0, strlen($assetRoot)) !== $assetRoot
|| ! is_file($filePath)
) {
$app->getResponse() $app->getResponse()
->setHttpResponseCode(404); ->setHttpResponseCode(404);