From 5cb73fa2206138235a0978d64c35332b67ce180c Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Tue, 1 Apr 2025 17:53:33 +0200
Subject: Restrict valid paths in ext.php for extensions (#7474)

* Restrict valid paths in ext.php for extensions

* Disallow absolute paths as well
---
 p/ext.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'p/ext.php')

diff --git a/p/ext.php b/p/ext.php
index b3007a4fd..dbd9a8cbb 100644
--- a/p/ext.php
+++ b/p/ext.php
@@ -76,14 +76,15 @@ function is_valid_path_extension(string $path, string $extensionPath, bool $isSt
  *
  * @param string $path the path to the file we want to serve.
  * @return bool true if it can be served, false otherwise.
- *
  */
 function is_valid_path(string $path): bool {
-	return is_valid_path_extension($path, CORE_EXTENSIONS_PATH) || is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH)
-		|| is_valid_path_extension($path, USERS_PATH, false);
+	return !str_contains($path, '..') && !str_starts_with($path, '/') && !str_starts_with($path, '\\') && (
+		is_valid_path_extension($path, CORE_EXTENSIONS_PATH) ||
+		is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH) ||
+		is_valid_path_extension($path, USERS_PATH, false));
 }
 
-function sendBadRequestResponse(string $message = null): never {
+function sendBadRequestResponse(?string $message = null): never {
 	header('HTTP/1.1 400 Bad Request');
 	die($message);
 }
-- 
cgit v1.2.3