Menu
▾
▴
[ZNC-commits] SF.net SVN: znc:[1412] trunk/modules/webadmin.cpp
|
From: <ps...@us...> - 2009-03-06 14:25:28
|
Revision: 1412
http://znc.svn.sourceforge.net/znc/?rev=1412&view=rev
Author: psychon
Date: 2009-03-06 14:24:47 +0000 (Fri, 06 Mar 2009)
Log Message:
-----------
webadmin: Restrict skins to be located inside the skins dir
One needs to be admin to change the current skin dir, but it still sounds
like a good idea to be careful...
Plus, this wont deny symlinks anyway!
Modified Paths:
--------------
trunk/modules/webadmin.cpp
Modified: trunk/modules/webadmin.cpp
===================================================================
--- trunk/modules/webadmin.cpp 2009-03-06 13:30:09 UTC (rev 1411)
+++ trunk/modules/webadmin.cpp 2009-03-06 14:24:47 UTC (rev 1412)
@@ -252,9 +252,14 @@
}
CString CWebAdminSock::GetSkinDir() {
- CString sSkinDir = GetAvailSkinsDir() + GetModule()->GetSkinName() + "/";
+ CString sAvailSkins = GetAvailSkinsDir();
+ CString sSkinDir = sAvailSkins + GetModule()->GetSkinName() + "/";
+ CString sDir = CDir::ChangeDir("./", sSkinDir, "/");
- if (CFile::IsDir(sSkinDir)) {
+ // Via ChangeDir() we check if someone tries to use e.g. a skin name
+ // with embed .. or such evilness.
+ if (sDir.Left(sAvailSkins.length()) == sAvailSkins
+ && CFile::IsDir(sSkinDir)) {
return sSkinDir;
}
@@ -263,8 +268,6 @@
void CWebAdminSock::PrintPage(CString& sPageRet, const CString& sTmplName) {
sPageRet.clear();
- // @todo possibly standardize the location of meta files such as these skins
- // @todo give an option for changing the current skin from 'default'
CString sTmpl;
if (IsAdmin()) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|