From a2da70fd119cc43438f8dd88de54a7d19fafbe1a Mon Sep 17 00:00:00 2001
From: Marien Fressinaud <dev@marienfressinaud.fr>
Date: Fri, 5 Dec 2014 10:51:34 +0100
Subject: Fix security hole from ext.php script.

Now, ext.php can only serve file under a EXTENSIONS_PATH/ext_dir/static/ directory.
A 400 Bad Request error will be returned for other files.

See https://github.com/FreshRSS/FreshRSS/issues/252
And https://github.com/FreshRSS/FreshRSS/commit/f9b037742a0aeb49cab86782d1a59913c2de47b
---
 lib/Minz/Extension.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/Minz/Extension.php')

diff --git a/lib/Minz/Extension.php b/lib/Minz/Extension.php
index 72a375a6d..ecf510ea2 100644
--- a/lib/Minz/Extension.php
+++ b/lib/Minz/Extension.php
@@ -106,9 +106,9 @@ class Minz_Extension {
 	 */
 	public function getFileUrl($filename, $type) {
 		$dir = end(explode('/', $this->path));
-		$file_name_url = urlencode($dir . '/' . $filename);
+		$file_name_url = urlencode($dir . '/static/' . $filename);
 
-		$absolute_path = $this->path . '/' . $filename;
+		$absolute_path = $this->path . '/static/' . $filename;
 		$mtime = @filemtime($absolute_path);
 
 		$url = '/ext.php?f=' . $file_name_url .
-- 
cgit v1.2.3