From: <ps...@us...> - 2009-03-06 14:25:28
|
Revision: 1412 http://znc.svn.sourceforge.net/znc/?rev=1412&view=rev Author: psychon Date: 2009-03-06 14:24:47 +0000 (Fri, 06 Mar 2009) Log Message: ----------- webadmin: Restrict skins to be located inside the skins dir One needs to be admin to change the current skin dir, but it still sounds like a good idea to be careful... Plus, this wont deny symlinks anyway! Modified Paths: -------------- trunk/modules/webadmin.cpp Modified: trunk/modules/webadmin.cpp =================================================================== --- trunk/modules/webadmin.cpp 2009-03-06 13:30:09 UTC (rev 1411) +++ trunk/modules/webadmin.cpp 2009-03-06 14:24:47 UTC (rev 1412) @@ -252,9 +252,14 @@ } CString CWebAdminSock::GetSkinDir() { - CString sSkinDir = GetAvailSkinsDir() + GetModule()->GetSkinName() + "/"; + CString sAvailSkins = GetAvailSkinsDir(); + CString sSkinDir = sAvailSkins + GetModule()->GetSkinName() + "/"; + CString sDir = CDir::ChangeDir("./", sSkinDir, "/"); - if (CFile::IsDir(sSkinDir)) { + // Via ChangeDir() we check if someone tries to use e.g. a skin name + // with embed .. or such evilness. + if (sDir.Left(sAvailSkins.length()) == sAvailSkins + && CFile::IsDir(sSkinDir)) { return sSkinDir; } @@ -263,8 +268,6 @@ void CWebAdminSock::PrintPage(CString& sPageRet, const CString& sTmplName) { sPageRet.clear(); - // @todo possibly standardize the location of meta files such as these skins - // @todo give an option for changing the current skin from 'default' CString sTmpl; if (IsAdmin()) { This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |