From e8d526fcf9054e985677fc24805ae510ca16638d Mon Sep 17 00:00:00 2001
From: Alexander Fuhr <alexander.fuhr@netways.de>
Date: Mon, 8 Sep 2014 12:59:22 +0200
Subject: [PATCH] StaticController: Fix img file inclusion

---
 application/controllers/StaticController.php | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/application/controllers/StaticController.php b/application/controllers/StaticController.php
index edcc57d39..c8b1d9b73 100644
--- a/application/controllers/StaticController.php
+++ b/application/controllers/StaticController.php
@@ -59,20 +59,12 @@ class StaticController extends ActionController
     public function imgAction()
     {
         $module = $this->_getParam('module_name');
-        // TODO: This is more than dangerous, must be fixed!!
         $file   = $this->_getParam('file');
         $basedir = Icinga::app()->getModuleManager()->getModule($module)->getBaseDir();
 
         $filePath = realpath($basedir . '/public/img/' . $file);
 
-        if (strpos($filePath, $basedir) === false) {
-            throw new ActionException(sprintf(
-                '%s does not exist',
-                $filePath
-            ), 404);
-        }
-
-        if (! file_exists($filePath)) {
+        if (! $filePath || strpos($filePath, $basedir) !== 0) {
             throw new ActionException(sprintf(
                 '%s does not exist',
                 $filePath