Fixed legacy paths being too / tolerant.
This commit is contained in:
parent
904d220582
commit
67d9620037
1 changed files with 6 additions and 2 deletions
|
|
@ -131,11 +131,15 @@ CSRF::init(
|
||||||
$router = $msz->createRouting();
|
$router = $msz->createRouting();
|
||||||
$msz->startTemplating();
|
$msz->startTemplating();
|
||||||
|
|
||||||
$mszRequestPath = $request->getPath();
|
$mszRequestPath = substr($request->getPath(), 1);
|
||||||
$mszLegacyPathPrefix = MSZ_PUBLIC . '-legacy/';
|
$mszLegacyPathPrefix = MSZ_PUBLIC . '-legacy/';
|
||||||
$mszLegacyPath = realpath($mszLegacyPathPrefix . $mszRequestPath);
|
$mszLegacyPath = $mszLegacyPathPrefix . $mszRequestPath;
|
||||||
|
|
||||||
if(!empty($mszLegacyPath) && str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) {
|
if(!empty($mszLegacyPath) && str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) {
|
||||||
|
$mszLegacyPathReal = realpath($mszLegacyPath);
|
||||||
|
if($mszLegacyPath !== $mszLegacyPathReal && $mszLegacyPath !== $mszLegacyPathReal . '/')
|
||||||
|
Template::throwError(404);
|
||||||
|
|
||||||
if(str_starts_with($mszRequestPath, '/manage') && !$msz->hasManageAccess())
|
if(str_starts_with($mszRequestPath, '/manage') && !$msz->hasManageAccess())
|
||||||
Template::throwError(403);
|
Template::throwError(403);
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue