use realpath and validate tpl directory contents

to ensure only php files inside the tpl dir can get used as templates
2026-03-05 13:30:32 -05:00 · 2025-11-11 09:34:54 +01:00
parent dae5f7fd61
commit f2164353c3
2 changed files with 22 additions and 4 deletions
--- a/lib/View.php
+++ b/lib/View.php
@@ -12,6 +12,7 @@
 namespace PrivateBin;

 use Exception;
+use GlobIterator;

 /**
 * View
@@ -49,13 +50,21 @@ class View
     */
    public function draw($template)
    {
+        $dir  = PATH . 'tpl' . DIRECTORY_SEPARATOR;
        $file = substr($template, 0, 10) === 'bootstrap-' ? 'bootstrap' : $template;
-        $path = PATH . 'tpl' . DIRECTORY_SEPARATOR . $file . '.php';
-        if (!file_exists($path)) {
+        $path = realpath($dir . $file . '.php');
+        if ($path === false) {
            throw new Exception('Template ' . $template . ' not found!', 80);
        }
-        extract($this->_variables);
-        include $path;
+        foreach (new GlobIterator($dir . '*.php') as $tplFile) {
+            if ($tplFile->getRealPath() === $path) {
+                $templatesInPath = new GlobIterator(PATH . 'tpl' . DIRECTORY_SEPARATOR . '*.php');
+                extract($this->_variables);
+                include $path;
+                return;
+            }
+        }
+        throw new Exception('Template ' . $file . '.php not found in ' . $dir . '!', 81);
    }

    /**
--- a/tst/ViewTest.php
+++ b/tst/ViewTest.php
@@ -141,4 +141,13 @@ class ViewTest extends TestCase
        $this->expectExceptionCode(80);
        $test->draw('123456789 does not exist!');
    }
+
+    public function testInvalidTemplate()
+    {
+        $test = new View;
+        $this->expectException(Exception::class);
+        $this->expectExceptionCode(81);
+        $test->draw('../index');
+    }
+
 }