From a4a5aeeb17d32937d8c7d743dae9a4cc755ce773 Mon Sep 17 00:00:00 2001
From: Alexey Sokolov <alexey+znc@asokolov.org>
Date: Sat, 14 Jul 2018 00:12:28 +0100
Subject: [PATCH] Don't let web skin name ../../../../ access files outside of
 usual skins directories.

Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
---
 src/WebModules.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/WebModules.cpp b/src/WebModules.cpp
index 19ece50a..a5841987 100644
--- a/src/WebModules.cpp
+++ b/src/WebModules.cpp
@@ -557,13 +557,15 @@ CWebSock::EPageReqResult CWebSock::PrintTemplate(const CString& sPageName,
 }
 
 CString CWebSock::GetSkinPath(const CString& sSkinName) {
-    CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkinName;
+    const CString sSkin = sSkinName.Replace_n("/", "_").Replace_n(".", "_");
+
+    CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkin;
 
     if (!CFile::IsDir(sRet)) {
-        sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkinName;
+        sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkin;
 
         if (!CFile::IsDir(sRet)) {
-            sRet = CString(_SKINDIR_) + "/" + sSkinName;
+            sRet = CString(_SKINDIR_) + "/" + sSkin;
         }
     }