Dev Template fix

LimeSurvey · Nov 8, 2017 · 60cecd1 · 60cecd1
1 parent 2b90f21
commit 60cecd1
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/application/helpers/common_helper.php b/application/helpers/common_helper.php
@@ -6268,5 +6268,25 @@ function regenerateCSRFToken(){
         $cookie->expire = time()-3600;
         Yii::app()->request->cookies['YII_CSRF_TOKEN'] = $cookie;
     }
-
+
+    /**
+    * A function to remove ../ or ./ from paths to prevent directory traversal
+    * 
+    * @param mixed $path
+    */
+    function get_absolute_path($path) {
+        $path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path);
+        $parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen');
+        $absolutes = array();
+        foreach ($parts as $part) {
+            if ('.' == $part) continue;
+            if ('..' == $part) {
+                array_pop($absolutes);
+            } else {
+                $absolutes[] = $part;
+            }
+        }
+        return implode(DIRECTORY_SEPARATOR, $absolutes);
+    }
+
 // Closing PHP tag intentionally omitted - yes, it is okay
diff --git a/application/models/TemplateConfiguration.php b/application/models/TemplateConfiguration.php
@@ -125,7 +125,6 @@ public function setTemplateConfiguration($sTemplateName='', $iSurveyId='')
         // Simple Xml is buggy on PHP < 5.4. The [ array -> json_encode -> json_decode ] workaround seems to be the most used one.
         // @see: http://php.net/manual/de/book.simplexml.php#105330 (top comment on PHP doc for simplexml)
         $this->config  = json_decode( json_encode ( ( array ) simplexml_load_string($sXMLConfigFile), 1));
-
         // Template configuration
         // Ternary operators test if configuration entry exists in the config file (to avoid PHP notice in user custom templates)
         $this->viewPath                 = (isset($this->config->engine->pstpldirectory))           ? $this->path.DIRECTORY_SEPARATOR.$this->config->engine->pstpldirectory.DIRECTORY_SEPARATOR                            : $this->path;
@@ -134,6 +133,10 @@ public function setTemplateConfiguration($sTemplateName='', $iSurveyId='')
         $this->cssFramework             = (isset($this->config->engine->cssframework))             ? $this->config->engine->cssframework                                                                                  : '';
         $this->packages                 = (isset($this->config->engine->packages->package))        ? $this->config->engine->packages->package                                                                             : array();
 
+        debugbreak();
+        foreach(@$this->config->files->css->filename as $name){
+            $name=get_absolute_path($name);
+        }
         // overwrite_question_views accept different values : "true" or "yes"
         $this->overwrite_question_views = (isset($this->config->engine->overwrite_question_views)) ? ($this->config->engine->overwrite_question_views=='true' || $this->config->engine->overwrite_question_views=='yes' ) : false;