From eb225cc78b1123a10ce2784790f232d71c2066c4 Mon Sep 17 00:00:00 2001 From: Tam Date: Fri, 9 Jul 2021 12:07:02 +0100 Subject: [PATCH] Fix security vulnerability --- CHANGELOG.md | 4 ++++ composer.json | 2 +- src/Controller.php | 12 +++++++++--- src/templates/view.twig | 12 +++++++----- 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2389d4e..26a3587 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## 3.0.4 - 2021-07-09 [CRITICAL] +### Fixed +- Fix security vulnerability + ## 3.0.3 - 2019-11-25 ### Fixed - Fix error when first file is not `*.log` (via [@sebschaefer](https://github.com/sebschaefer)) diff --git a/composer.json b/composer.json index 3cfe0b2..e94199f 100644 --- a/composer.json +++ b/composer.json @@ -1,7 +1,7 @@ { "name": "ether/logs", "description": "Access logs from the CP", - "version": "3.0.3", + "version": "3.0.4", "type": "craft-plugin", "minimum-stability": "dev", "require": { diff --git a/src/Controller.php b/src/Controller.php index 823219b..5593ac0 100644 --- a/src/Controller.php +++ b/src/Controller.php @@ -2,14 +2,20 @@ namespace ether\logs; +use Craft; + class Controller extends \craft\web\Controller { public function actionStream () { - $logsDir = \Craft::getAlias('@storage/logs'); - $logFile = \Craft::$app->request->getParam('log'); - $currentLog = \Craft::$app->request->get('log', $logFile); + $logsDir = Craft::getAlias('@storage/logs'); + $logFile = Craft::$app->request->getParam('log'); + $currentLog = basename(Craft::$app->request->get('log', $logFile)); + + if (strpos($currentLog, '.log') === false) + return '

You can only access .log files!

'; + $log = file_get_contents($logsDir . '/' . $currentLog); exit($log); diff --git a/src/templates/view.twig b/src/templates/view.twig index fdcab5b..6f01703 100644 --- a/src/templates/view.twig +++ b/src/templates/view.twig @@ -1,9 +1,11 @@
- +