mirror of
https://github.com/znc/znc.git
synced 2026-03-28 17:42:41 +01:00
webadmin: Restrict skins to be located inside the skins dir
One needs to be admin to change the current skin dir, but it still sounds like a good idea to be careful... Plus, this wont deny symlinks anyway! git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1412 726aef4b-f618-498e-8847-2d620e286838
This commit is contained in:
psychon
@@ -252,9 +252,14 @@ CString CWebAdminSock::GetAvailSkinsDir() {
|
||||
}
|
||||
|
||||
CString CWebAdminSock::GetSkinDir() {
|
||||
CString sSkinDir = GetAvailSkinsDir() + GetModule()->GetSkinName() + "/";
|
||||
CString sAvailSkins = GetAvailSkinsDir();
|
||||
CString sSkinDir = sAvailSkins + GetModule()->GetSkinName() + "/";
|
||||
CString sDir = CDir::ChangeDir("./", sSkinDir, "/");
|
||||
|
||||
if (CFile::IsDir(sSkinDir)) {
|
||||
// Via ChangeDir() we check if someone tries to use e.g. a skin name
|
||||
// with embed .. or such evilness.
|
||||
if (sDir.Left(sAvailSkins.length()) == sAvailSkins
|
||||
&& CFile::IsDir(sSkinDir)) {
|
||||
return sSkinDir;
|
||||
}
|
||||
|
||||
@@ -263,8 +268,6 @@ CString CWebAdminSock::GetSkinDir() {
|
||||
|
||||
void CWebAdminSock::PrintPage(CString& sPageRet, const CString& sTmplName) {
|
||||
sPageRet.clear();
|
||||
// @todo possibly standardize the location of meta files such as these skins
|
||||
// @todo give an option for changing the current skin from 'default'
|
||||
CString sTmpl;
|
||||
|
||||
if (IsAdmin()) {
|
||||
|
||||
Reference in New Issue
Block a user