Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-5p3f-rh28-8frw
v2.9 Backport
  • Loading branch information
nilmerg committed Mar 8, 2022
2 parents e9d775d + bf0ad4b commit 9931ed7
Showing 1 changed file with 13 additions and 2 deletions.
15 changes: 13 additions & 2 deletions library/Icinga/Web/Controller/StaticController.php
Expand Up @@ -39,10 +39,21 @@ public function handle(Request $request)
}

$assetRoot = $library->getStaticAssetPath();
if (empty($assetRoot)) {
$app->getResponse()
->setHttpResponseCode(404);

return;
}

$filePath = $assetRoot . DIRECTORY_SEPARATOR . $assetPath;
$dirPath = realpath(dirname($filePath)); // dirname, because the file may be a link

// Doesn't use realpath as it isn't supposed to access files outside asset/static
if (! is_readable($filePath) || ! is_file($filePath)) {
if (
$dirPath === false
|| substr($dirPath, 0, strlen($assetRoot)) !== $assetRoot
|| ! is_file($filePath)
) {
$app->getResponse()
->setHttpResponseCode(404);

Expand Down

0 comments on commit 9931ed7

Please sign in to comment.