Fixed legacy paths being too / tolerant.
This commit is contained in:
parent
904d220582
commit
67d9620037
1 changed files with 6 additions and 2 deletions
|
@ -131,11 +131,15 @@ CSRF::init(
|
|||
$router = $msz->createRouting();
|
||||
$msz->startTemplating();
|
||||
|
||||
$mszRequestPath = $request->getPath();
|
||||
$mszRequestPath = substr($request->getPath(), 1);
|
||||
$mszLegacyPathPrefix = MSZ_PUBLIC . '-legacy/';
|
||||
$mszLegacyPath = realpath($mszLegacyPathPrefix . $mszRequestPath);
|
||||
$mszLegacyPath = $mszLegacyPathPrefix . $mszRequestPath;
|
||||
|
||||
if(!empty($mszLegacyPath) && str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) {
|
||||
$mszLegacyPathReal = realpath($mszLegacyPath);
|
||||
if($mszLegacyPath !== $mszLegacyPathReal && $mszLegacyPath !== $mszLegacyPathReal . '/')
|
||||
Template::throwError(404);
|
||||
|
||||
if(str_starts_with($mszRequestPath, '/manage') && !$msz->hasManageAccess())
|
||||
Template::throwError(403);
|
||||
|
||||
|
|
Loading…
Reference in a new issue