Skip to content
Permalink
Browse files Browse the repository at this point in the history
- fixed Directory Traversal vulnerability. Using realpath for that;
  • Loading branch information
nikitasinelnikov committed Sep 27, 2022
1 parent 14dc36b commit e1bc94c
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions includes/core/class-shortcodes.php
Expand Up @@ -276,17 +276,19 @@ function load_template( $tpl ) {
extract( $args );
}

// Avoid Directory Traversal vulnerability.
$tpl = trim( $tpl, "./\\" );

$file = um_path . "templates/{$tpl}.php";
$theme_file = get_stylesheet_directory() . "/ultimate-member/templates/{$tpl}.php";
if ( file_exists( $theme_file ) ) {
$file = $theme_file;
}

if ( file_exists( $file ) ) {
include $file;
// Avoid Directory Traversal vulnerability by the checking the realpath.
// Templates can be situated only in the get_stylesheet_directory() or plugindir templates.
$real_file = realpath( $file );
if ( 0 === strpos( $real_file, um_path . "templates" . DIRECTORY_SEPARATOR ) || 0 === strpos( $real_file, get_stylesheet_directory() . DIRECTORY_SEPARATOR . 'ultimate-member' . DIRECTORY_SEPARATOR . 'templates' . DIRECTORY_SEPARATOR ) ) {
include $file;
}
}
}

Expand Down

0 comments on commit e1bc94c

Please sign in to comment.