From ff8e9fa072d767ef99cbaa76815cf0fe5a6264b2 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 17 Sep 2019 12:07:10 -0400 Subject: [PATCH] Don't glob skins dir and css dirs unless our skin or css is invalid. --- web/index.php | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/web/index.php b/web/index.php index f2fd0660e..5c2448291 100644 --- a/web/index.php +++ b/web/index.php @@ -87,27 +87,38 @@ if ( isset($_GET['skin']) ) { $skin = 'classic'; } -$skins = array_map('basename', glob('skins/*', GLOB_ONLYDIR)); +if ( ! is_dir("skins/$skin") ) { + $skins = array_map('basename', glob('skins/*', GLOB_ONLYDIR)); -if ( ! in_array($skin, $skins) ) { - ZM\Error("Invalid skin '$skin' setting to " . $skins[0]); - $skin = $skins[0]; + if ( !in_array($skin, $skins) ) { + ZM\Error("Invalid skin '$skin' setting to ".$skins[0]); + $skin = $skins[0]; + } } if ( isset($_GET['css']) ) { $css = $_GET['css']; -} elseif ( isset($_COOKIE['zmCSS']) ) { +} else if ( isset($_COOKIE['zmCSS']) ) { $css = $_COOKIE['zmCSS']; -} elseif ( defined('ZM_CSS_DEFAULT') ) { +} else if ( defined('ZM_CSS_DEFAULT') ) { $css = ZM_CSS_DEFAULT; } else { $css = 'classic'; } -$css_skins = array_map('basename', glob('skins/'.$skin.'/css/*',GLOB_ONLYDIR)); -if ( !in_array($css, $css_skins) ) { - ZM\Error("Invalid skin css '$css' setting to " . $css_skins[0]); - $css = $css_skins[0]; +if ( !is_dir("skins/$skin/css/$css") ) { + $css_skins = array_map('basename', glob('skins/'.$skin.'/css/*', GLOB_ONLYDIR)); + if ( count($css_skins) ) { + if ( !in_array($css, $css_skins) ) { + ZM\Error("Invalid skin css '$css' setting to " . $css_skins[0]); + $css = $css_skins[0]; + } else { + $css = ''; + } + } else { + ZM\Error("No css options found at skins/$skin/css"); + $css = ''; + } } define('ZM_BASE_PATH', dirname($_SERVER['REQUEST_URI'])); @@ -116,7 +127,7 @@ define('ZM_SKIN_NAME', $skin); $skinBase = array(); // To allow for inheritance of skins if ( !file_exists(ZM_SKIN_PATH) ) - Fatal("Invalid skin '$skin'"); + ZM\Fatal("Invalid skin '$skin'"); $skinBase[] = $skin; zm_session_start(); @@ -125,7 +136,7 @@ if ( !isset($_SESSION['skin']) || isset($_REQUEST['skin']) || !isset($_COOKIE['zmSkin']) || - $_COOKIE['zmSkin'] != $skin + ($_COOKIE['zmSkin'] != $skin) ) { $_SESSION['skin'] = $skin; setcookie('zmSkin', $skin, time()+3600*24*30*12*10); @@ -135,7 +146,7 @@ if ( !isset($_SESSION['css']) || isset($_REQUEST['css']) || !isset($_COOKIE['zmCSS']) || - $_COOKIE['zmCSS'] != $css + ($_COOKIE['zmCSS'] != $css) ) { $_SESSION['css'] = $css; setcookie('zmCSS', $css, time()+3600*24*30*12*10);