Restrict valid paths in ext.php for extensions (#7474)

* Restrict valid paths in ext.php for extensions * Disallow absolute paths as well
author: Alexandre Alapetite <alexandre@alapetite.fr> 2025-04-01 17:53:33 +0200
committer: GitHub <noreply@github.com> 2025-04-01 17:53:33 +0200
commit: 5cb73fa2206138235a0978d64c35332b67ce180c (patch)
tree: 1c57cac438a0b7a651c9469f4b11b62fc487fed6 /p
parent: aa3867ae12c3718fe65bfb8871376780f3827d07 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/p/ext.php b/p/ext.php
index b3007a4fd..dbd9a8cbb 100644
--- a/p/ext.php
+++ b/p/ext.php
@@ -76,14 +76,15 @@ function is_valid_path_extension(string $path, string $extensionPath, bool $isSt
  *
  * @param string $path the path to the file we want to serve.
  * @return bool true if it can be served, false otherwise.
- *
  */
 function is_valid_path(string $path): bool {
-	return is_valid_path_extension($path, CORE_EXTENSIONS_PATH) || is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH)
-		|| is_valid_path_extension($path, USERS_PATH, false);
+	return !str_contains($path, '..') && !str_starts_with($path, '/') && !str_starts_with($path, '\\') && (
+		is_valid_path_extension($path, CORE_EXTENSIONS_PATH) ||
+		is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH) ||
+		is_valid_path_extension($path, USERS_PATH, false));
 }
 
-function sendBadRequestResponse(string $message = null): never {
+function sendBadRequestResponse(?string $message = null): never {
 	header('HTTP/1.1 400 Bad Request');
 	die($message);
 }
author	Alexandre Alapetite <alexandre@alapetite.fr>	2025-04-01 17:53:33 +0200
committer	GitHub <noreply@github.com>	2025-04-01 17:53:33 +0200
commit	5cb73fa2206138235a0978d64c35332b67ce180c (patch)
tree	1c57cac438a0b7a651c9469f4b11b62fc487fed6 /p
parent	aa3867ae12c3718fe65bfb8871376780f3827d07 (diff)