Diffusion Phabricator 2037979142cb

Prevent Phame blogs from using invalid skins
2037979142cb
Actions

Authored by epriestley <git@epriestley.com> on Dec 15 2014, 19:41.

Description

Prevent Phame blogs from using invalid skins

Summary: Via HackerOne. An attacker with access to both Phame and the filesystem could potentially load a skin that lives outside of the configured skin directories, because we had insufficient checks on the actual skin at load time.

Test Plan: Attempted to build a blog with an invalid skin; got an exception instead of a mis-load of a sketchy skin.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D10992

Details

Committed

epriestley <git@epriestley.com>

Dec 15 2014, 19:41

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH2a9db94ba6e9: Restore Maniphest subscriber transaction mail tag

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH2037979142cb: Prevent Phame blogs from using invalid skins (authored by epriestley <git@epriestley.com>).Dec 15 2014, 19:41

Changes (1)

				Path
	M			src/applications/phame/skins/PhameSkinSpecification.php

rPH2037979142cb

View Options

src/applications/phame/skins/PhameSkinSpecification.php