Permalink
Browse files

Refactored ThemeController#render_theme_item to return 404 message wh…

…en the file doesn't exist or the filename is blank, instead of only when the path contains '..'
  • Loading branch information...
reidab authored and igal committed Jan 27, 2009
1 parent 50b037b commit bac70eef4ba302659044aea52f74d4f159aa1f1a
Showing with 7 additions and 2 deletions.
  1. +7 −2 vendor/plugins/theme_support/lib/theme_controller.rb
@@ -21,8 +21,13 @@ def error
private
def render_theme_item(type, file, theme, mime = mime_for(file))
render :text => "Not Found", :status => 404 and return if file.split(%r{[\\/]}).include?("..")
send_file "#{Theme.path_to_theme(theme)}/#{type}/#{file}", :type => mime, :disposition => 'inline', :stream => false
file_path = "#{Theme.path_to_theme(theme)}/#{type}/#{file}"
if file.split(%r{[\\/]}).include?("..") || !File.exists?(file_path) || file.blank?
render :text => "Not Found", :status => 404
return
else
send_file file_path, :type => mime, :disposition => 'inline', :stream => false
end
end
def cache_theme_files

0 comments on commit bac70ee

Please sign in to comment.