Access to private files about css-js-booster HOT 11 CLOSED

I saw your file check already (albeit it throwed an error here as not everybody has finfo available ;)

It is true that you can do a path traversal on the one hand, but it is also true that Booster did already do a filename-check to ensure to include only .css and .js files. Also file names were filtered before being processed. So you can't do that much damage in my opinion. If I am wrong you must show me how! :D

from css-js-booster.

It was very easy, i typed this in my url bar :
http://domain.net/CSS-JS-Booster/booster/booster_css.php?dir=../../hello.php,../../static/css/yui,../../static/css/library,../../static/css/template&cachedir=booster_cache&css_hosted_minifier=1&totalparts=1&part=1&nocache=0

and there i had the php file (do not remember if id did it with css.php or js.php)

just watched the code very fast, doesn't the check only occurs when dealing with directories ?

from css-js-booster.

Nope, it should always do the check from what I know.
I was very aware of the potential risk of not checking twice what files are being requested, that's why I had have the check everywhere. See for example here in line 468 ff.:

http://github.com/Schepp/CSS-JS-Booster/blob/master/booster/booster_inc.php

from css-js-booster.

Okay, sorry, I think you may be right for the check being ommited on single files. I also just did a quick scan of my code. Will dig deeper and then include the check there too if it is really missing. Shouldn't be missing.

from css-js-booster.

Getfiles is only called when css.php is called with dir=actual/dir and not dir=actualfile.php

right ?

ps: i double checked and the == $type is only called in getfiles wich is only called on directories

good luck

from css-js-booster.

You are completely right. But you also already put in place is_css and is_js, so they will now do a good job then. BTW: I will push an improved Booster this week, with a lot of changes (also including your improvements), so don't develop too much at the moment as merging may get difficult then :)

from css-js-booster.

ARGH ! i hope the merge will not be too difficult ... you couldn't get my changes then move them / modify them and repush ?

if you do all your changes by hand outside github it's a lot more difficult but i'll handle it .. :)

from css-js-booster.

I have most of your changes here (I did a pull two days ago).
But I still need an hour or two of work on the library before pushing it to the public. Don't want to have something broken online.

from css-js-booster.

No Problem, also i just saw i had double new finfo on is_css and is_js on my branch

good work ! see you

from css-js-booster.

Thanks! Good work from you, too!
I drop you an info as soon as I do the push.

from css-js-booster.

Fixed

from css-js-booster.