recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Prevent Phame blogs from using invalid skins

Summary: Via HackerOne. An attacker with access to both Phame and the filesystem could potentially load a skin that lives outside of the configured skin directories, because we had insufficient checks on the actual skin at load time.

Test Plan: Attempted to build a blog with an invalid skin; got an exception instead of a mis-load of a sketchy skin.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D10992

epriestley 20379791 2a9db94b

+22 -2
+22 -2
src/applications/phame/skins/PhameSkinSpecification.php
··· 56 56 } 57 57 58 58 public static function loadOneSkinSpecification($name) { 59 + // Only allow skins which we know to exist to load. This prevents loading 60 + // skins like "../../secrets/evil/". 61 + $all = self::loadAllSkinSpecifications(); 62 + if (empty($all[$name])) { 63 + throw new Exception( 64 + pht( 65 + 'Blog skin "%s" is not a valid skin!', 66 + $name)); 67 + } 68 + 59 69 $paths = PhabricatorEnv::getEnvConfig('phame.skins'); 60 - $base = dirname(phutil_get_library_root('phabricator')); 70 + $base = dirname(phutil_get_library_root('phabricator')); 61 71 foreach ($paths as $path) { 62 72 $path = Filesystem::resolvePath($path, $base); 63 73 $skin_path = $path.DIRECTORY_SEPARATOR.$name; 64 74 if (is_dir($skin_path)) { 75 + 76 + // Double check that the skin really lives in the skin directory. 77 + if (!Filesystem::isDescendant($skin_path, $path)) { 78 + throw new Exception( 79 + pht( 80 + 'Blog skin "%s" is not located in path "%s"!', 81 + $name, 82 + $path)); 83 + } 84 + 65 85 $spec = self::loadSkinSpecification($skin_path); 66 86 if ($spec) { 67 87 $spec->setName($name); ··· 72 92 return null; 73 93 } 74 94 75 - public static function loadSkinSpecification($path) { 95 + private static function loadSkinSpecification($path) { 76 96 77 97 $config_path = $path.DIRECTORY_SEPARATOR.'skin.json'; 78 98 $config = array();