From 7a2df05c762ced4c7eedf29cbcdbef4560f427c0 Mon Sep 17 00:00:00 2001 From: Petr Skoda Date: Sat, 22 May 2010 19:28:29 +0000 Subject: [PATCH] better protection of JS minify script --- lib/javascript.php | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/lib/javascript.php b/lib/javascript.php index 34e552ee98b..5c322073a13 100644 --- a/lib/javascript.php +++ b/lib/javascript.php @@ -34,13 +34,29 @@ require_once('Minify.php'); $file = min_optional_param('file', '', 'RAW'); $rev = min_optional_param('rev', 0, 'INT'); -if (strpos($file, ',')) { - $jsfiles = explode(',', $file); - foreach ($jsfiles as $key=>$file) { - $jsfiles[$key] = $CFG->dirroot.$file; +// some security first - pick only files with .js extension in dirroot +$jsfiles = array(); +$files = explode(',', $file); +foreach ($files as $fsfile) { + $jsfile = realpath($CFG->dirroot.$fsfile); + if ($jsfile === false) { + // does not exist + continue; } -} else { - $jsfiles = array($CFG->dirroot.$file); + if (strpos($jsfile, $CFG->dirroot . DIRECTORY_SEPARATOR) !== 0) { + // hackers - not in dirroot + continue; + } + if (substr($jsfile, -1) !== '.js') { + // hackers - not a JS file + continue; + } + $jsfiles[] = $jsfile; +} + +if (!$jsfiles) { + // bad luck - no valid files + die(); } minify($jsfiles);