Skip to content

Commit c163bf5

Browse files
committed
Merge pull request #1699 from conejoninja/fixescve
some fixes
2 parents 778eff1 + e3e0278 commit c163bf5

File tree

5 files changed

+45
-18
lines changed

5 files changed

+45
-18
lines changed

Diff for: oc-admin/appearance.php

+28-1
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,34 @@ function doModel()
169169
$this->redirectTo( osc_admin_base_url(true) . "?page=appearance" );
170170
break;
171171
case('render'):
172-
$this->_exportVariableToView('file', osc_base_path() . Params::getParam("file"));
172+
if(Params::existParam('route')) {
173+
$routes = Rewrite::newInstance()->getRoutes();
174+
$rid = Params::getParam('route');
175+
$file = '../';
176+
if(isset($routes[$rid]) && isset($routes[$rid]['file'])) {
177+
$file = $routes[$rid]['file'];
178+
}
179+
} else {
180+
// DEPRECATED: Disclosed path in URL is deprecated, use routes instead
181+
// This will be REMOVED in 3.6
182+
$file = Params::getParam('file');
183+
// We pass the GET variables (in case we have somes)
184+
if(preg_match('|(.+?)\?(.*)|', $file, $match)) {
185+
$file = $match[1];
186+
if(preg_match_all('|&([^=]+)=([^&]*)|', urldecode('&'.$match[2].'&'), $get_vars)) {
187+
for($var_k=0;$var_k<count($get_vars[1]);$var_k++) {
188+
Params::setParam($get_vars[1][$var_k], $get_vars[2][$var_k]);
189+
}
190+
}
191+
} else {
192+
$file = Params::getParam('file');
193+
};
194+
}
195+
196+
if(strpos($file, '../')!==false || !file_exists(osc_base_path() . $file)) {
197+
osc_add_flash_warning_message(__('Error loading theme custom file'), 'admin');
198+
};
199+
$this->_exportVariableToView('file', osc_base_path() . $file);
173200
$this->doView('appearance/view.php');
174201
break;
175202
default:

Diff for: oc-admin/themes/modern/appearance/view.php

+3-3
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
* See the License for the specific language governing permissions and
1515
* limitations under the License.
1616
*/
17-
17+
$file = __get('file');
1818
osc_add_hook('admin_page_header','customPageHeader');
1919
function customPageHeader() { ?>
2020
<h1><?php echo osc_apply_filter('custom_appearance_title', __('Appearance')); ?></h1>
@@ -30,8 +30,8 @@ function customPageTitle($string) {
3030
<!-- theme files -->
3131
<div class="theme-files">
3232
<?php
33-
if( file_exists(__get('file')) ) {
34-
require_once __get('file');
33+
if(strpos($file, '../')===false && file_exists($file)) {
34+
require_once $file;
3535
}
3636
?>
3737
</div>

Diff for: oc-admin/themes/modern/plugins/view.php

+3-3
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
* See the License for the specific language governing permissions and
1515
* limitations under the License.
1616
*/
17-
17+
$file = __get('file');
1818
osc_add_hook('admin_page_header','customPageHeader');
1919
function customPageHeader() { ?>
2020
<h1><?php echo osc_apply_filter('custom_plugin_title',__('Plugins')); ?></h1>
@@ -30,8 +30,8 @@ function customPageTitle($string) {
3030
<!-- theme files -->
3131
<div class="theme-files">
3232
<?php
33-
if( file_exists(__get('file')) ) {
34-
require_once __get('file');
33+
if(strpos($file, '../')===false && file_exists($file)) {
34+
require_once $file;
3535
}
3636
?>
3737
</div>

Diff for: oc-includes/osclass/classes/datatables/ItemsDataTable.php

+9-9
Original file line numberDiff line numberDiff line change
@@ -138,8 +138,8 @@ private function addTableHeader()
138138
$this->addColumn('user', __('User'));
139139
$this->addColumn('category', __('Category'));
140140
$this->addColumn('location', __('Location'));
141-
$this->addColumn('date', '<a href="'.$url_base.$arg_date.'">'.__('Date').'</a>');
142-
$this->addColumn('expiration', '<a href="'.$url_base.$arg_expiration.'">'.__('Expiration date').'</a>');
141+
$this->addColumn('date', '<a href="'.osc_esc_html($url_base.$arg_date).'">'.__('Date').'</a>');
142+
$this->addColumn('expiration', '<a href="'.osc_esc_html($url_base.$arg_expiration).'">'.__('Expiration date').'</a>');
143143

144144
$dummy = &$this;
145145
osc_run_hook("admin_items_table", $dummy);
@@ -197,13 +197,13 @@ private function addTableHeaderReported()
197197
$this->addColumn('bulkactions', '<input id="check_all" type="checkbox" />');
198198
$this->addColumn('title', __('Title'));
199199
$this->addColumn('user', __('User'));
200-
$this->addColumn('spam', '<a id="order_spam" href="'.$url_spam.'">'.__('Spam').'</a>');
201-
$this->addColumn('bad', '<a id="order_bad" href="'.$url_bad.'">'.__('Misclassified').'</a>');
202-
$this->addColumn('rep', '<a id="order_rep" href="'.$url_rep.'">'.__('Duplicated').'</a>');
203-
$this->addColumn('exp', '<a id="order_exp" href="'.$url_exp.'">'.__('Expired').'</a>');
204-
$this->addColumn('off', '<a id="order_off" href="'.$url_off.'">'.__('Offensive').'</a>');
205-
$this->addColumn('date', '<a id="order_date" href="'.$url_date.'">'.__('Date').'</a>');
206-
$this->addColumn('expiration', '<a id="order_expiration" href="'.$url_expiration.'">'.__('Expiration date').'</a>');
200+
$this->addColumn('spam', '<a id="order_spam" href="'.osc_esc_html($url_spam).'">'.__('Spam').'</a>');
201+
$this->addColumn('bad', '<a id="order_bad" href="'.osc_esc_html($url_bad).'">'.__('Misclassified').'</a>');
202+
$this->addColumn('rep', '<a id="order_rep" href="'.osc_esc_html($url_rep).'">'.__('Duplicated').'</a>');
203+
$this->addColumn('exp', '<a id="order_exp" href="'.osc_esc_html($url_exp).'">'.__('Expired').'</a>');
204+
$this->addColumn('off', '<a id="order_off" href="'.osc_esc_html($url_off).'">'.__('Offensive').'</a>');
205+
$this->addColumn('date', '<a id="order_date" href="'.osc_esc_html($url_date).'">'.__('Date').'</a>');
206+
$this->addColumn('expiration', '<a id="order_expiration" href="'.osc_esc_html($url_expiration).'">'.__('Expiration date').'</a>');
207207

208208
$dummy = &$this;
209209
osc_run_hook("admin_items_reported_table", $dummy);

Diff for: oc-includes/osclass/classes/datatables/MediaDataTable.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -73,8 +73,8 @@ private function addTableHeader()
7373
$this->addColumn('bulkactions', '<input id="check_all" type="checkbox" />');
7474
$this->addColumn('file', __('File'));
7575
$this->addColumn('action', __('Action'));
76-
$this->addColumn('attached_to', '<a href="'.$url_base.$arg_item.'">'.__('Attached to').'</a>');
77-
$this->addColumn('date', '<a href="'.$url_base.$arg_date.'">'.__('Date').'</a>');
76+
$this->addColumn('attached_to', '<a href="'.osc_esc_html($url_base.$arg_item).'">'.__('Attached to').'</a>');
77+
$this->addColumn('date', '<a href="'.osc_esc_html($url_base.$arg_date).'">'.__('Date').'</a>');
7878

7979
$dummy = &$this;
8080
osc_run_hook("admin_media_table", $dummy);

0 commit comments

Comments
 (0)