security fix for file name saving 7.x-2.7
authorguybedford
Wed, 9 Jan 2013 06:51:59 +0000 (07:51 +0100)
committerguybedford
Wed, 9 Jan 2013 06:51:59 +0000 (07:51 +0100)
live_css.module

index 63d3c2a..d2ed092 100755 (executable)
@@ -216,6 +216,24 @@ function live_css_save() {
   // i.e. http://.../css/my_file.css?m1unhm
   $sanitized_url = _live_css_sanitize_css_url($href);
 
+  if (substr($sanitized_url, -4) != '.css' && substr($sanitized_url, -5) != '.less') {
+    echo drupal_json_encode(array(
+      'result' => 'failure',
+      'filename' => $path,
+      'msg' => 'Can\'t save to files without a \'less\' or \'css\' extension!'
+    ));
+    return;
+  }
+
+  if (file_munge_filename($sanitized_url) != $sanitized_url) {
+    echo drupal_json_encode(array(
+      'result' => 'failure',
+      'filename' => $path,
+      'msg' => 'The url used contains a sub-filextension which poses a security threat. Saving not allowed.'
+    ));
+    return;
+  }
+
   // File path relative to Drupal installation folder.
   global $base_url;
   $stripped_url = drupal_substr($sanitized_url, drupal_strlen($base_url) , drupal_strlen($sanitized_url));
@@ -251,6 +269,10 @@ function _live_css_sanitize_css_url($url){
   if ($pos !== FALSE) {
     $result = substr($url, 0, $pos + 4);
   }
+  $pos = strpos($url, '.less?');
+  if ($pos !== FALSE) {
+    $result = substr($url, 0, $pos + 5);
+  }
   return $result;
 }