From 445b210756b5f22efba12b65c4c0bf63da6f20dd Mon Sep 17 00:00:00 2001
From: Colin Mollenhour <colin@mollenhour.com>
Date: Mon, 17 Sep 2018 11:10:35 -0400
Subject: [PATCH] Add protection for unauthorized file access to all
 fallback-based paths and allow symlinks for inlinecss directive.

---
 app/code/core/Mage/Core/Model/Design/Package.php | 16 ++++++++++++++++
 .../Mage/Core/Model/Email/Template/Abstract.php  |  4 +---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/code/core/Mage/Core/Model/Design/Package.php b/app/code/core/Mage/Core/Model/Design/Package.php
index 4854ab27da2..56135a21b16 100644
--- a/app/code/core/Mage/Core/Model/Design/Package.php
+++ b/app/code/core/Mage/Core/Model/Design/Package.php
@@ -436,10 +436,18 @@ protected function _fallback($file, array &$params, array $fallbackScheme = arra
      * @param string $file
      * @param array $params
      * @return string
+     * @throws Exception
      */
     public function getFilename($file, array $params)
     {
         Varien_Profiler::start(__METHOD__);
+
+        // Prevent reading files outside of the proper directory while still allowing symlinked files
+        if (strpos($file, '..') !== false) {
+            Mage::log(sprintf('Invalid path requested: %s (params: %s)', $file, json_encode($params)), Zend_Log::ERR);
+            throw new Exception('Invalid path requested.');
+        }
+
         $this->updateParamDefaults($params);
         $result = $this->_fallback(
             $file,
@@ -478,10 +486,18 @@ public function getLocaleFileName($file, array $params=array())
      * @param string $file
      * @param array $params
      * @return string
+     * @throws Exception
      */
     public function getSkinUrl($file = null, array $params = array())
     {
         Varien_Profiler::start(__METHOD__);
+
+        // Prevent reading files outside of the proper directory while still allowing symlinked files
+        if (strpos($file, '..') !== false) {
+            Mage::log(sprintf('Invalid path requested: %s (params: %s)', $file, json_encode($params)), Zend_Log::ERR);
+            throw new Exception('Invalid path requested.');
+        }
+
         if (empty($params['_type'])) {
             $params['_type'] = 'skin';
         }
diff --git a/app/code/core/Mage/Core/Model/Email/Template/Abstract.php b/app/code/core/Mage/Core/Model/Email/Template/Abstract.php
index 917ac4de6c4..ec606a8bfb6 100644
--- a/app/code/core/Mage/Core/Model/Email/Template/Abstract.php
+++ b/app/code/core/Mage/Core/Model/Email/Template/Abstract.php
@@ -235,11 +235,9 @@ protected function _getCssFileContent($filename)
                 '_theme' => $theme,
             )
         );
-        $filePath = realpath($filePath);
-        $positionSkinDirectory = strpos($filePath, Mage::getBaseDir('skin'));
         $validator = new Zend_Validate_File_Extension('css');
 
-        if ($validator->isValid($filePath) && $positionSkinDirectory !== false && is_readable($filePath)) {
+        if ($validator->isValid($filePath) && is_readable($filePath)) {
             return (string) file_get_contents($filePath);
         }