githubFork/roundcubemail.git - Solinfo Gitblit

githubFork / roundcubemail

Roundcubemail devel

blame | history | patch | commit | commitdiff | show whitespace

Fix path traversal vulnerability in setting a skin (#1490620)

Aleksander Machniak

2015-12-22 10e5192a2b1bc90ec137f5e69d0aa072c1210d6d

 program/include/rcmail_output_html.php

@@ -224,6 +224,17 @@
     */
    public function set_skin($skin)
    {
        // Sanity check to prevent from path traversal vulnerability (#1490620)
        if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
            rcube::raise_error(array(
                    'file'    => __FILE__,
                    'line'    => __LINE__,
                    'message' => 'Invalid skin name'
                ), true, false);

            return false;
        }

        $valid = false;
        $path  = RCUBE_INSTALL_PATH . 'skins/';