Skip to content
Permalink
Browse files

SW-14719 - Improve input validation in ScriptRenderer

This issue has been identified by David Vieira-Kurz (@secalert) on behalf of
Immobilien Scout GmbH.
  • Loading branch information...
bcremer committed Apr 6, 2016
1 parent 888c154 commit d73e9031a5b2ab6e918eb86d1e2b2e873cd3558d
@@ -170,28 +170,35 @@ public function getTemplateName()
}
$templateNames = array();
foreach ($fileNames as $fileName) {
// Remove unwanted characters
$fileName = preg_replace('/[^a-z0-9\/_-]/i', '', $fileName);
// Replace multiple forward slashes
$fileName = preg_replace('#/+#', '/', $fileName);
// Remove leading and trailing forward slash
$fileName = trim($fileName, '/');
// if string starts with "m/" replace with "model/"
$fileName = preg_replace('/^m\//', 'model/', $fileName);
$fileName = preg_replace('/^c\//', 'controller/', $fileName);
$fileName = preg_replace('/^v\//', 'view/', $fileName);
$fileName = ltrim(dirname($fileName) . '/' . basename($fileName, '.js'), '/.');
if (empty($fileName)) {
continue;
}
$templateNames[] = $inflector->filter(array(
$fileName = $inflector->filter(array(
'module' => $moduleName,
'controller' => $controllerName,
'file' => $fileName)
);
'file' => $fileName
));
$templateNames[] = $fileName;
}
$count = count($templateNames);
if ($count === 0) {
return null;
} elseif ($count === 1) {
@@ -208,26 +208,36 @@ public function extendsAction()
$this->View()->Engine()->setCompileId($this->View()->Engine()->getCompileId() . '_' . $this->Request()->getControllerName());
foreach ($fileNames as $fileName) {
// Remove unwanted characters
$fileName = preg_replace('/[^a-z0-9\/_-]/i', '', $fileName);
// Replace multiple forward slashes
$fileName = preg_replace('#/+#', '/', $fileName);
// Remove leading and trailing forward slash
$fileName = trim($fileName, '/');
// if string starts with "m/" replace with "model/"
$fileName = preg_replace('/^m\//', 'model/', $fileName);
$fileName = preg_replace('/^c\//', 'controller/', $fileName);
$fileName = preg_replace('/^v\//', 'view/', $fileName);
$fileName = ltrim(dirname($fileName) . '/' . basename($fileName, '.js'), '/.');
if (empty($fileName)) {
continue;
}
$templateBase = $inflector->filter(array(
'module' => $moduleName,
'module' => $moduleName,
'controller' => $controllerName,
'file' => $fileName)
);
'file' => $fileName
));
$templateExtend = $inflector->filter(array(
'module' => $moduleName,
'module' => $moduleName,
'controller' => $this->Request()->getControllerName(),
'file' => $fileName)
);
'file' => $fileName
));
if ($this->View()->templateExists($templateBase)) {
$template .= '{include file="' . $templateBase. '"}' . "\n";
}

0 comments on commit d73e903

Please sign in to comment.
You can’t perform that action at this time.