Forbid access to templates via static content server

alecpl · alecpl · commit 2fb8cc41d195 · 2024-11-18T11:26:19.000+01:00
diff --git a/public_html/static.php b/public_html/static.php
@@ -99,7 +99,7 @@ function validateStaticFile($path): ?string
 
     $found = false;
     foreach (ALLOWED_PATHS as $prefix) {
-        if (strpos($path, $prefix) === 0) {
+        if (strpos($path, $prefix) === 0 && !preg_match('~skins/.+/templates/~', $path)) {
             $found = true;
             break;
         }

Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ function validateStaticFile($path): ?string`
`99`	`99`
`100`	`100`	`$found = false;`
`101`	`101`	`foreach (ALLOWED_PATHS as $prefix) {`
`102`		`- if (strpos($path, $prefix) === 0) {`
	`102`	`+ if (strpos($path, $prefix) === 0 && !preg_match('~skins/.+/templates/~', $path)) {`
`103`	`103`	`$found = true;`
`104`	`104`	`break;`
`105`	`105`	`}`