Comments (11)
I saw your file check already (albeit it throwed an error here as not everybody has finfo available ;)
It is true that you can do a path traversal on the one hand, but it is also true that Booster did already do a filename-check to ensure to include only .css and .js files. Also file names were filtered before being processed. So you can't do that much damage in my opinion. If I am wrong you must show me how! :D
from css-js-booster.
It was very easy, i typed this in my url bar :
http://domain.net/CSS-JS-Booster/booster/booster_css.php?dir=../../hello.php,../../static/css/yui,../../static/css/library,../../static/css/template&cachedir=booster_cache&css_hosted_minifier=1&totalparts=1&part=1&nocache=0
and there i had the php file (do not remember if id did it with css.php or js.php)
just watched the code very fast, doesn't the check only occurs when dealing with directories ?
from css-js-booster.
Nope, it should always do the check from what I know.
I was very aware of the potential risk of not checking twice what files are being requested, that's why I had have the check everywhere. See for example here in line 468 ff.:
http://github.com/Schepp/CSS-JS-Booster/blob/master/booster/booster_inc.php
from css-js-booster.
Okay, sorry, I think you may be right for the check being ommited on single files. I also just did a quick scan of my code. Will dig deeper and then include the check there too if it is really missing. Shouldn't be missing.
from css-js-booster.
Getfiles is only called when css.php is called with dir=actual/dir and not dir=actualfile.php
right ?
ps: i double checked and the == $type is only called in getfiles wich is only called on directories
good luck
from css-js-booster.
You are completely right. But you also already put in place is_css and is_js, so they will now do a good job then. BTW: I will push an improved Booster this week, with a lot of changes (also including your improvements), so don't develop too much at the moment as merging may get difficult then :)
from css-js-booster.
ARGH ! i hope the merge will not be too difficult ... you couldn't get my changes then move them / modify them and repush ?
if you do all your changes by hand outside github it's a lot more difficult but i'll handle it .. :)
from css-js-booster.
I have most of your changes here (I did a pull two days ago).
But I still need an hour or two of work on the library before pushing it to the public. Don't want to have something broken online.
from css-js-booster.
No Problem, also i just saw i had double new finfo on is_css and is_js on my branch
good work ! see you
from css-js-booster.
Thanks! Good work from you, too!
I drop you an info as soon as I do the push.
from css-js-booster.
Fixed
from css-js-booster.
Related Issues (20)
- CDN will cache the "temporary file"
- Wrong datauri path generation in css_datauri_cleanup() ? HOT 1
- Cannot get any CSS files to work in a MCV setup
- Can't deactivate the plugin HOT 8
- Better handling of files not found
- Insert safety-semicolons between concatenated JS-files
- Ensure that when js_minify = false it *is* not minified
- Remove @charset declarations when they occur in CSS
- image url in css HOT 1
- Compress once and then serve those .gz files
- Webfonts included via Data URI donβt work in Internet Explorer HOT 1
- GZIP & Cache Fonts
- Problem with empty CSS media-Attribute
- Fallback when no connection to the web
- Additional "productivity" mode w/ no timestamp
- .htaccess routing to static cached versions if existing
- Can't deactivate plugin without loosing CSS HOT 4
- Set default timezone as required by PHP5.2+
- htaccess leads to Internal Server Error HOT 1
- Does this library work with NGINX server? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from css-js-booster.