Lanmikeman/openvk
Lanmikeman
/
openvk
mirror of https://github.com/openvk/openvk
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[IMPORTANT SECURITY] Fix critical directory traversal vulnerability in theming mechanism

This commit is contained in:
Jill Stingray 2020-06-14 18:37:06 +03:00
parent ad89b0a5e2
commit 02dd373460
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Web/Presenters/ThemepacksPresenter.php
View File

@ -14,7 +14,7 @@ final class ThemepacksPresenter extends OpenVKPresenter
$theme = Themepacks::i()[$themepack];
if($resClass === "resource") {
$data = $theme->fetchStaticResource($resource);
$data = $theme->fetchStaticResource(chandler_escape_url($resource));
} else if($resClass === "stylesheet") {
if($resource !== "styles.css")
$this->notFound();
@ -27,7 +27,7 @@ final class ThemepacksPresenter extends OpenVKPresenter
if(!$data)
$this->notFound();
header("Content-Type: " . system_extension_mime_type($resource));
header("Content-Type: " . system_extension_mime_type($resource) ?? "text/plain; charset=unknown-8bit");
header("Content-Size: " . strlen($data));
header("Cache-Control: public, no-transform, max-age=31536000");
exit($data);