composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/support/3.2' into develop

Browse Source
This commit is contained in:
Molkobain
2024-03-21 17:43:41 +01:00
parent a93d5b87e1 673b01585d
commit ed81dbc4a2
9 changed files with 204 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
sources/Application/WebPage/WebPage.php
View File

@@ -544,7 +544,9 @@ class WebPage implements Page
return;
}
if (false === utils::RealPath(APPROOT . $sFileRelPath, APPROOT)) {
// Ensure file is within the app folder
$sFileRelPathWithoutQueryParams = explode("?", $sFileRelPath)[0];
if (false === utils::RealPath(APPROOT . $sFileRelPathWithoutQueryParams, APPROOT)) {
IssueLog::Warning("Linked resource added to page with a path from outside app directory, it will be ignored.", LogChannels::CONSOLE, [
"linked_resource_uri" => $sFileRelPath,
"request_uri" => $_SERVER['REQUEST_URI'] ?? '' /* CLI */,
@@ -580,7 +582,9 @@ class WebPage implements Page
return;
}
$sFileAbsPath = MODULESROOT . $sFileRelPath;
// Ensure file is within the app folder
$sFileRelPathWithoutQueryParams = explode("?", $sFileRelPath)[0];
$sFileAbsPath = MODULESROOT . $sFileRelPathWithoutQueryParams;
// For modules only, we don't check real path if symlink as the file would not be in under MODULESROOT
if (false === is_link($sFileAbsPath) && false === utils::RealPath($sFileAbsPath, MODULESROOT)) {
IssueLog::Warning("Linked resource added to page with a path from outside current env. directory, it will be ignored.", LogChannels::CONSOLE, [