Post/product content parameter changed in model edit method, added file checks to load only templates that are html files inside theme folder, previously other files could be loaded from theme folder, vulnerability reported by @0xHamy

givanz · givanz · commit 56e8b848b3e8 · 2025-01-13T01:53:11.000+02:00
diff --git a/admin/controller/editor/editor.php b/admin/controller/editor/editor.php
@@ -116,6 +116,12 @@ private function loadEditorData() {
 		return $data;
 	}
 
+	/*
+		Load theme sections, components and inputs
+	 */
+	private function loadEditorAssets() {
+	}
+
 	/*
 		Load theme sections, components and inputs
 	 */
@@ -169,14 +175,14 @@ function index() {
 		$posts   = [];
 
 		foreach ($results['post'] as $post) {
-			$slug = $post['slug'];
+			$slug = htmlspecialchars($post['slug']);
 			$url  = url('content/page/index',['slug' => $slug, 'post_id' => $post['post_id']]);
 
-			$posts[$slug] = [
-				'name'      => $slug,
+			$posts["$slug-page"] = [
+				'name'      => "$slug-page",
 				'file'      => $post['template'] ? $post['template'] : 'content/page.html',
 				'url'       => $url . ($theme ? '?theme=' . $theme : ''),
-				'title'     => $post['name'],
+				'title'     => htmlspecialchars($post['name']),
 				'post_id'   => $post['post_id'],
 				'folder'    => '',
 				'className' => 'page',
@@ -197,18 +203,75 @@ function index() {
 			$className    = 'url';
 			$current_page = [];
 
+			//check if url and template is relative
+			if (strpos($url, '//') !== false && strpos($template, '..') !== false) {
+				$this->notFound();
+
+				exit();
+			}
+
+			//check if the url has extension and is a html file and exists in the theme folder
+			if (strpos($url, '.') !== false) {
+				if (substr_compare($url, '.html', -5 ,5) === 0) {
+					if (! file_exists(DIR_THEMES . $theme . DS . $url)) {
+						$this->notFound();
+
+						exit();
+					}
+				} else {
+					$this->notFound();
+
+					exit();
+				}
+			}
+
+			//check if template belongs to theme and is a html file
+			if (substr_compare($template, '.html', -5 ,5) === 0) {
+				if (! file_exists(DIR_THEMES . $theme . DS . $template)) {
+					$this->notFound();
+
+					exit();
+				}
+			} else {
+				$this->notFound();
+
+				exit();
+			}
+
 			if ($route && isset($route['module'])) {
 				switch ($route['module']) {
 					case 'product/product/index':
 						$className                  = 'product';
-						$current_page['product_id'] = $route['product_id'];
+
+						if (isset($route['product_id'])) {
+							$current_page['product_id'] = $route['product_id'];
+						} else {
+							if (isset($this->request->get['product_id'])) {
+								$current_page['product_id'] = $this->request->get['product_id'];
+							} else {
+								if (isset($route['slug'])) {
+									$current_page['slug'] = htmlspecialchars($route['slug']);
+								}
+							}
+						}
 
 					break;
 
 					case 'content/post/index':
 					case 'content/page/index':
 						$className               = 'page';
-						$current_page['post_id'] = $route['post_id'];
+
+						if (isset($route['post_id'])) {
+							$current_page['post_id'] = $route['post_id'];
+						} else {
+							if (isset($this->request->get['post_id'])) {
+								$current_page['post_id'] = $this->request->get['post_id'];
+							} else {
+								if (isset($route['slug'])) {
+									$current_page['slug'] = htmlspecialchars($route['slug']);
+								}
+							}
+						}
 
 					break;
 				}
@@ -561,14 +624,15 @@ function save() {
 							'template'     => $file,
 							'type'         => $type,
 							'image'        => 'posts/2.jpg', //'placeholder.svg'
-							'post_content' => [[
-								'slug'        => $slug,
-								'name'        => $name,
-								'content'     => $content,
-								'language_id' => $this->global['language_id'],
-							]],
 						] + $this->global,
-						'site_id' => [$this->global['site_id']], ] + $this->global);
+						'post_content' => [[
+							'slug'        => $slug,
+							'name'        => $name,
+							'content'     => $content,
+							'language_id' => $this->global['language_id'],
+						]],
+						'site_id' => [$this->global['site_id']],
+					] + $this->global);
 
 					if ($result['post']) {
 						$post_id    = $result['post'];
@@ -591,14 +655,14 @@ function save() {
 							'status'          => 1, //active
 							'template'        => $file,
 							'price'           => $price,
-							'product_content' => [[
-								'slug'        => $slug,
-								'name'        => $name,
-								'name'        => $name,
-								'content'     => $content,
-								'language_id' => $this->global['language_id'],
-							]],
 						] + $this->global,
+						'product_content' => [[
+							'slug'        => $slug,
+							'name'        => $name,
+							'name'        => $name,
+							'content'     => $content,
+							'language_id' => $this->global['language_id'],
+						]],
 						'site_id' => [$this->global['site_id']], ] + $this->global);
 
 					if ($result['product']) {
diff --git a/admin/template/editor/editor.tpl b/admin/template/editor/editor.tpl
@@ -40,7 +40,7 @@ if(isset($this->themeBlocks) && is_array($this->themeBlocks))
 	foreach ($this->themeBlocks as $id => $file) {?>
 	
 	[data-v-theme-blocks]|src = $file
-	[data-v-theme-blocks]|id = <?php echo "theme-$id";?>
+	[data-v-theme-blocks]|id = <?php echo 'theme-' . htmlspecialchars($id);?>
 
 	[data-v-theme-blocks]|after = <?php 
 	} 
@@ -55,7 +55,7 @@ if(isset($this->themeSections) && is_array($this->themeSections))
 	foreach ($this->themeSections as $id => $file) {?>
 	
 	[data-v-theme-sections]|src = $file
-	[data-v-theme-sections]|id = <?php echo "theme-$id";?>
+	[data-v-theme-sections]|id = <?php echo 'theme-' . htmlspecialchars($id);?>
 
 	[data-v-theme-sections]|after = <?php 
 	} 
@@ -70,7 +70,7 @@ if(isset($this->themeJs) && is_array($this->themeJs))
 	foreach ($this->themeJs as $id => $file) {?>
 	
 	[data-v-theme-js]|src = $file
-	[data-v-theme-js]|id = <?php echo "theme-$id";?>"
+	[data-v-theme-js]|id = <?php echo 'theme-' . htmlspecialchars($id);?>
 
 	[data-v-theme-js]|after = <?php 
 	} 
@@ -89,11 +89,11 @@ if (isset($this->$name)) {
 	
 		if (isset($option['folder']) && ($optgroup != $option['folder'])) {
 			$optgroup = $option['folder'];
-			echo '<optgroup label="' . ucfirst($optgroup) . '">';
+			echo '<optgroup label="' . ucfirst(htmlspecialchars($optgroup)) . '">';
 		}
 ?>
 
-	@templates-select-option|value = echo $option['file'];
+	@templates-select-option|value = echo htmlspecialchars($option['file']);
 	@templates-select-option = <?php echo htmlspecialchars(ucfirst($option['title']));?>
 	@templates-select-option|addNewAttribute = <?php if ($option['file'] == 'blank.html') echo 'selected';?>
 	
@@ -121,14 +121,14 @@ form[data-vvveb-url]|action = $this->saveUrl
 foreach ($this->languagesList as $language) {
 	//$content = $this->{{type}}['{{type}}_content'][$language['language_id']] ?? [];
 ?>
-	[data-v-languages] [data-v-language-id]|id = <?php echo 'lang-' . $language['code'] . '-' . $_lang_instance;?>
+	[data-v-languages] [data-v-language-id]|id = <?php echo 'lang-' . htmlspecialchars($language['code']) . '-' . $_lang_instance;?>
 	[data-v-languages]  [data-v-language-id]|addClass = <?php if ($_i == 0) echo 'show active';?>
 
 	@language [data-v-language-name] = $language['name']
 	@language [data-v-language-code]|name = $language['code']
 	@language [data-v-language-img]|title = $language['name']
-	@language [data-v-language-img]|src = <?php echo 'language/' . $language['code'] . '/' . $language['code'] . '.png';?>
-	@language [data-v-language-link]|href = <?php echo '#lang-' . $language['code'] . '-' . $_lang_instance?>
+	@language [data-v-language-img]|src = <?php echo 'language/' . htmlspecialchars($language['code']) . '/' . htmlspecialchars($language['code']) . '.png';?>
+	@language [data-v-language-link]|href = <?php echo '#lang-' . htmlspecialchars($language['code']) . '-' . $_lang_instance?>
 	@language [data-v-language-link]|addClass = <?php if ($_i == 0) echo 'active';?>
 
 @language|after = <?php 
