Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed vulnerability in getextension.php that allowed reading files ou…
…tside of the extension directory.
  • Loading branch information
naub committed Mar 9, 2016
1 parent 7ae7ec5 commit 49fff15
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 2 deletions.
2 changes: 1 addition & 1 deletion VERSION
@@ -1 +1 @@
6.6.6
6.6.7
5 changes: 4 additions & 1 deletion www/getextension.php
Expand Up @@ -36,7 +36,10 @@
include( 'functions.php' );

$extension = $_GET['extension'];
if( strpos($extension,'/') || strpos($extension,"\\") or !file_exists($path = $WEBCONFIG['sitefusionPath'].'/extensions/'.$extension) ) {
$allowedRoot = realpath($WEBCONFIG['sitefusionPath'].'/extensions');
$path = realpath($allowedRoot.'/'.$extension);

if (!(substr($path, 0, strlen($allowedRoot)) == $allowedRoot && file_exists($path))) {
echo "Invalid extension: $extension";
exit(1);
}
Expand Down

0 comments on commit 49fff15

Please sign in to comment.