More secure skin param check (#1346)
This commit is contained in:
parent
35d7e7e2f5
commit
931188b15f
|
@ -421,16 +421,22 @@ sub getSkin {
|
||||||
|
|
||||||
# Check skin GET/POST parameter
|
# Check skin GET/POST parameter
|
||||||
my $skinParam = $req->param('skin');
|
my $skinParam = $req->param('skin');
|
||||||
if ( defined $skinParam and !$self->checkXSSAttack( 'skin', $skinParam ) ) {
|
if ( defined $skinParam ) {
|
||||||
|
if ( $skinParam =~ /^[\w\-]$/ ) {
|
||||||
if ( -d $self->conf->{templateDir} . '/' . $skinParam ) {
|
if ( -d $self->conf->{templateDir} . '/' . $skinParam ) {
|
||||||
$skin = $skinParam;
|
$skin = $skinParam;
|
||||||
$self->logger->debug("Skin $skin selected from GET/POST parameter");
|
$self->logger->debug(
|
||||||
|
"Skin $skin selected from GET/POST parameter");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$self->userLogger->error(
|
$self->userLogger->error(
|
||||||
"User tries to access to unexistent skin dir $skinParam");
|
"User tries to access to unexistent skin dir $skinParam");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
$self->userLogger->error("Strange skin parameter: $skinParam");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return $skin;
|
return $skin;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user