Improve asset file path handling

Luke Towers · Luke Towers · commit 2b8939cc8b5b · 2020-03-31T03:37:31.000-06:00
diff --git a/modules/cms/classes/Asset.php b/modules/cms/classes/Asset.php
@@ -285,7 +285,14 @@ public function getFilePath($fileName = null)
             $fileName = $this->fileName;
         }
 
-        return $this->theme->getPath().'/'.$this->dirName.'/'.$fileName;
+        // Limit paths to those under the assets directory
+        $directory = $this->theme->getPath() . '/' . $this->dirName . '/';
+        $path = realpath($directory . $fileName);
+        if (!starts_with($path, $directory)) {
+            return false;
+        }
+
+        return $path;
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -285,7 +285,14 @@ public function getFilePath($fileName = null)`
`285`	`285`	`$fileName = $this->fileName;`
`286`	`286`	`}`
`287`	`287`
`288`		`- return $this->theme->getPath().'/'.$this->dirName.'/'.$fileName;`
	`288`	`+ // Limit paths to those under the assets directory`
	`289`	`+ $directory = $this->theme->getPath() . '/' . $this->dirName . '/';`
	`290`	`+ $path = realpath($directory . $fileName);`
	`291`	`+ if (!starts_with($path, $directory)) {`
	`292`	`+ return false;`
	`293`	`+ }`
	`294`	`+`
	`295`	`+ return $path;`
`289`	`296`	`}`
`290`	`297`
`291`	`298`	`/**`