Minahito
minah****@users*****
2006年 4月 28日 (金) 18:16:30 JST
Index: xoops2jp/html/modules/base/admin/css.php
diff -u xoops2jp/html/modules/base/admin/css.php:1.1.2.3 xoops2jp/html/modules/base/admin/css.php:1.1.2.4
--- xoops2jp/html/modules/base/admin/css.php:1.1.2.3 Thu Jan 26 01:09:07 2006
+++ xoops2jp/html/modules/base/admin/css.php Fri Apr 28 18:16:30 2006
@@ -5,20 +5,23 @@
$theme = isset($_GET['theme']) ? trim($_GET['theme']) : null;
-$file = trim($_GET['file']);
+$dirname = isset($_GET['dirname']) ? trim($_GET['dirname']) : null;
+$file = "stylesheets/" . trim($_GET['file']);
-if (strpos($file, "..") !== false) {
+if (strstr($theme, "..") !== false || strstr($dirname, "..") !== false || strstr($file, "..") !== false) {
exit();
}
$smarty = new Legacy_AdminSmarty();
-if ($theme !=null && !file_exists(XOOPS_THEME_PATH . "/" . $theme . "/" . $file)) {
- exit();
+if ($theme != null && $dirname != null) {
+ $path = XOOPS_THEME_PATH . "/${theme}/modules/${dirname}/admin/templates";
}
-
-if($theme!=null) {
- $path = XOOPS_THEME_PATH . "/" . $theme;
+elseif ($theme != null) {
+ $path = XOOPS_THEME_PATH . "/" .$theme;
+}
+elseif ($dirname != null) {
+ $path = XOOPS_MODULE_PATH . "/${dirname}/admin/templates";
}
else {
$path = LEGACY_ADMIN_RENDER_FALLBACK_PATH;