fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-04 01:01:41 +09:00
Code Issues Projects Releases Packages Wiki Activity

RVE-2022-3 filter skin parameter in ModuleModel::loadSkinInfo()

Browse source
This commit is contained in:
Kijin Sung 2022-06-28 20:07:40 +09:00
parent 693fb9e041
commit bc562b74ba
1 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
modules/module/module.model.php
View file

@ -957,8 +957,16 @@ class moduleModel extends module
{
// Read xml file having skin information
if(substr($path,-1)!='/') $path .= '/';
if(!preg_match('/^[a-zA-Z0-9_-]+$/', $skin))
{
return;
}
$skin_xml_file = sprintf("%s%s/%s/skin.xml", $path, $dir, $skin);
if(!file_exists($skin_xml_file)) return;
if(!file_exists($skin_xml_file))
{
return;
}
// Create XmlParser object
$oXmlParser = new XeXmlParser();
$_xml_obj = $oXmlParser->loadXmlFile($skin_xml_file);