Fixed legacy paths being too / tolerant.

2023-09-11 20:15:44 +00:00 · 2023-09-11 20:15:44 +00:00 · 67d9620037
parent 904d220582
commit 67d9620037
1 changed files with 6 additions and 2 deletions
--- a/public/index.php
+++ b/public/index.php
@ -131,11 +131,15 @@ CSRF::init(
 $router = $msz->createRouting();
 $msz->startTemplating();

-$mszRequestPath = $request->getPath();
+$mszRequestPath = substr($request->getPath(), 1);
 $mszLegacyPathPrefix = MSZ_PUBLIC . '-legacy/';
-$mszLegacyPath = realpath($mszLegacyPathPrefix . $mszRequestPath);
+$mszLegacyPath = $mszLegacyPathPrefix . $mszRequestPath;

 if(!empty($mszLegacyPath) && str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) {
+    $mszLegacyPathReal = realpath($mszLegacyPath);
+    if($mszLegacyPath !== $mszLegacyPathReal && $mszLegacyPath !== $mszLegacyPathReal . '/')
+        Template::throwError(404);
+
    if(str_starts_with($mszRequestPath, '/manage') && !$msz->hasManageAccess())
        Template::throwError(403);