1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-14 10:52:41 +01:00
phorge-phorge/src/applications/phame
epriestley 2037979142 Prevent Phame blogs from using invalid skins
Summary: Via HackerOne. An attacker with access to both Phame and the filesystem could potentially load a skin that lives outside of the configured skin directories, because we had insufficient checks on the actual skin at load time.

Test Plan: Attempted to build a blog with an invalid skin; got an exception instead of a mis-load of a sketchy skin.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D10992
2014-12-15 10:41:49 -08:00
..
application Minor formatting changes 2014-10-08 08:39:49 +11:00
celerity Move build-time resources to "CelerityPhysicalResources" to fix Phame 2013-12-31 19:21:56 -08:00
conduit phutil_utf8_shorten => PhutilUTF8StringTruncator 2014-08-29 15:15:13 -07:00
config Change double quotes to single quotes. 2014-06-09 11:36:50 -07:00
controller Don't show meme Remarkup hint button if Macro application is not usable 2014-11-24 15:25:25 -08:00
phid Rename PHIDType classes 2014-07-24 08:05:46 +10:00
query Remove @group annotations 2014-07-10 08:12:48 +10:00
skins Prevent Phame blogs from using invalid skins 2014-12-15 10:41:49 -08:00
storage Fix Phame handling of $request 2014-10-24 09:02:18 -07:00
view Minor formatting changes 2014-10-08 08:39:49 +11:00