Don't let web skin name ../../../../ access files outside of usual skins directories.

Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
2026-05-02 11:32:29 +02:00 · 2018-07-14 00:12:28 +01:00
parent d22fef8620
commit a4a5aeeb17
1 changed files with 5 additions and 3 deletions
--- a/src/WebModules.cpp
+++ b/src/WebModules.cpp
@@ -557,13 +557,15 @@ CWebSock::EPageReqResult CWebSock::PrintTemplate(const CString& sPageName,
 }

 CString CWebSock::GetSkinPath(const CString& sSkinName) {
-    CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkinName;
+    const CString sSkin = sSkinName.Replace_n("/", "_").Replace_n(".", "_");
+
+    CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkin;

    if (!CFile::IsDir(sRet)) {
-        sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkinName;
+        sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkin;

        if (!CFile::IsDir(sRet)) {
-            sRet = CString(_SKINDIR_) + "/" + sSkinName;
+            sRet = CString(_SKINDIR_) + "/" + sSkin;
        }
    }