Skip to content
Permalink
Browse files Browse the repository at this point in the history
added checking if the requested file is inside the intended directory
  • Loading branch information
mariateresapomar committed Sep 26, 2022
1 parent 3824558 commit a0f7591
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions src/Module.php
Expand Up @@ -148,7 +148,7 @@ public function displayFile($sm)

// First check if asset in main public folder
$pathFile = $_SERVER['DOCUMENT_ROOT'] . $UriWithoutParams;
if (is_file($pathFile))
if (is_file($pathFile) && $this->checkFileInFolder($pathFile, $_SERVER['DOCUMENT_ROOT']))
$this->sendDocument($pathFile, $UriParams);
else
{
Expand Down Expand Up @@ -181,7 +181,7 @@ public function displayFile($sm)

if ($pathFile != '')
{
if (is_file($pathFile))
if (is_file($pathFile) && $this->checkFileInFolder($pathFile, $path . '/public/'))
$this->sendDocument($pathFile, $UriParams);
}
}
Expand Down Expand Up @@ -263,4 +263,18 @@ public function getAutoloaderConfig()
];
}

/*checks if the file is inside the given folder*/
protected function checkFileInFolder($file, $folder)
{
$path = realpath($file);
if ($path !== false) {
if (strpos($path, realpath($folder)) !== 0) {
throw new \Exception('Requested resource is outside of ' . $folder);
} else {
return true;
}
} else {
return false;
}
}
}

0 comments on commit a0f7591

Please sign in to comment.