partially revert #1559

Instead of automatically adding custom templates, we log an error if that template is missing in the available templates. Still mitigates arbitrary file inclusion, as the string is now checked against a fixed allow list.
2026-01-23 02:35:23 +00:00 · 2025-11-10 17:27:11 +01:00 · 2025-11-10 17:27:11 +01:00 · dae5f7fd61
commit dae5f7fd61
parent a479d75405
4 changed files with 12 additions and 55 deletions
--- a/lib/View.php
+++ b/lib/View.php
@ -49,7 +49,8 @@ class View
     */
    public function draw($template)
    {
-        $path = self::getTemplateFilePath($template);
+        $file = substr($template, 0, 10) === 'bootstrap-' ? 'bootstrap' : $template;
+        $path = PATH . 'tpl' . DIRECTORY_SEPARATOR . $file . '.php';
        if (!file_exists($path)) {
            throw new Exception('Template ' . $template . ' not found!', 80);
        }
@ -57,31 +58,6 @@ class View
        include $path;
    }

-    /**
-     * Get template file path
-     *
-     * @access public
-     * @param  string $template
-     * @return string
-     */
-    public static function getTemplateFilePath(string $template): string
-    {
-        $file = self::isBootstrapTemplate($template) ? 'bootstrap' : basename($template);
-        return PATH . 'tpl' . DIRECTORY_SEPARATOR . $file . '.php';
-    }
-
-    /**
-     * Is the template a variation of the bootstrap template
-     *
-     * @access public
-     * @param  string $template
-     * @return bool
-     */
-    public static function isBootstrapTemplate(string $template): bool
-    {
-        return substr($template, 0, 10) === 'bootstrap-';
-    }
-
    /**
     * echo script tag incl. SRI hash for given script file
     *