mirror of
https://github.com/openvk/openvk
synced 2024-12-22 16:42:32 +03:00
[IMPORTANT SECURITY] Fix critical directory traversal vulnerability in theming mechanism
This commit is contained in:
parent
ad89b0a5e2
commit
02dd373460
1 changed files with 2 additions and 2 deletions
|
@ -14,7 +14,7 @@ final class ThemepacksPresenter extends OpenVKPresenter
|
|||
$theme = Themepacks::i()[$themepack];
|
||||
|
||||
if($resClass === "resource") {
|
||||
$data = $theme->fetchStaticResource($resource);
|
||||
$data = $theme->fetchStaticResource(chandler_escape_url($resource));
|
||||
} else if($resClass === "stylesheet") {
|
||||
if($resource !== "styles.css")
|
||||
$this->notFound();
|
||||
|
@ -27,7 +27,7 @@ final class ThemepacksPresenter extends OpenVKPresenter
|
|||
if(!$data)
|
||||
$this->notFound();
|
||||
|
||||
header("Content-Type: " . system_extension_mime_type($resource));
|
||||
header("Content-Type: " . system_extension_mime_type($resource) ?? "text/plain; charset=unknown-8bit");
|
||||
header("Content-Size: " . strlen($data));
|
||||
header("Cache-Control: public, no-transform, max-age=31536000");
|
||||
exit($data);
|
||||
|
|
Loading…
Reference in a new issue