Homestyx hydra
Diffusion hydra 2037979142cb

Prevent Phame blogs from using invalid skins
2037979142cb
Actions

Description

Prevent Phame blogs from using invalid skins

Summary: Via HackerOne. An attacker with access to both Phame and the filesystem could potentially load a skin that lives outside of the configured skin directories, because we had insufficient checks on the actual skin at load time.

Test Plan: Attempted to build a blog with an invalid skin; got an exception instead of a mis-load of a sketchy skin.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D10992

Details

Provenance
epriestleyAuthored on Dec 15 2014, 1:41 PM
sirocylPushed on Oct 16 2024, 5:49 AM
Parents
R1:2a9db94ba6e9: Restore Maniphest subscriber transaction mail tag
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (1)

PathSize
src/
applications/
phame/
skins/

R1:2037979142cb

View Options

src/applications/phame/skins/PhameSkinSpecification.php

Loading...
styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)