Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2026-01-23 02:35:23 +00:00
Code Issues Projects Releases Wiki Activity

use realpath and validate tpl directory contents

Browse source 
to ensure only php files inside the tpl dir can get used as templates
This commit is contained in:
El RIDO 2025-11-11 09:34:54 +01:00
parent dae5f7fd61
commit f2164353c3
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
2 changed files with 22 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

17
lib/View.php
View file

@ -12,6 +12,7 @@
namespace PrivateBin;
use Exception;
use GlobIterator;
/**
* View
@ -49,13 +50,21 @@ class View
*/
public function draw($template)
{
$dir = PATH . 'tpl' . DIRECTORY_SEPARATOR;
$file = substr($template, 0, 10) === 'bootstrap-' ? 'bootstrap' : $template;
$path = PATH . 'tpl' . DIRECTORY_SEPARATOR . $file . '.php';
if (!file_exists($path)) {
$path = realpath($dir . $file . '.php');
if ($path === false) {
throw new Exception('Template ' . $template . ' not found!', 80);
}
extract($this->_variables);
include $path;
foreach (new GlobIterator($dir . '*.php') as $tplFile) {
if ($tplFile->getRealPath() === $path) {
$templatesInPath = new GlobIterator(PATH . 'tpl' . DIRECTORY_SEPARATOR . '*.php');
extract($this->_variables);
include $path;
return;
}
}
throw new Exception('Template ' . $file . '.php not found in ' . $dir . '!', 81);
}
/**

9
tst/ViewTest.php
View file

@ -141,4 +141,13 @@ class ViewTest extends TestCase
$this->expectExceptionCode(80);
$test->draw('123456789 does not exist!');
}
public function testInvalidTemplate()
{
$test = new View;
$this->expectException(Exception::class);
$this->expectExceptionCode(81);
$test->draw('../index');
}
}