From e4325b1517c3d9769c8e0141e37b2845bf8e4d09 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Tue, 19 Sep 2017 20:21:28 +0200 Subject: [PATCH 1/2] Robustness: safer RainTPL directory handling Relates to https://github.com/shaarli/Shaarli/issues/845 Relates to https://github.com/shaarli/Shaarli/issues/846 Relates to https://github.com/shaarli/Shaarli/pull/909 Signed-off-by: VirtualTam --- application/ApplicationUtils.php | 5 +++-- application/ThemeUtils.php | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/application/ApplicationUtils.php b/application/ApplicationUtils.php index 85dcbee..123cc0b 100644 --- a/application/ApplicationUtils.php +++ b/application/ApplicationUtils.php @@ -168,14 +168,15 @@ class ApplicationUtils public static function checkResourcePermissions($conf) { $errors = array(); + $rainTplDir = rtrim($conf->get('resource.raintpl_tpl'), '/'); // Check script and template directories are readable foreach (array( 'application', 'inc', 'plugins', - $conf->get('resource.raintpl_tpl'), - $conf->get('resource.raintpl_tpl').'/'.$conf->get('resource.theme'), + $rainTplDir, + $rainTplDir.'/'.$conf->get('resource.theme'), ) as $path) { if (! is_readable(realpath($path))) { $errors[] = '"'.$path.'" directory is not readable'; diff --git a/application/ThemeUtils.php b/application/ThemeUtils.php index 2718ed1..16f2f6a 100644 --- a/application/ThemeUtils.php +++ b/application/ThemeUtils.php @@ -22,6 +22,7 @@ class ThemeUtils */ public static function getThemes($tplDir) { + $tplDir = rtrim($tplDir, '/'); $allTheme = glob($tplDir.'/*', GLOB_ONLYDIR); $themes = []; foreach ($allTheme as $value) { From 8c322aaba197bab1a9992b731db80d9faa133bc4 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Tue, 19 Sep 2017 22:08:29 +0200 Subject: [PATCH 2/2] Robustness: safer gzinflate/zlib usage Relates to https://github.com/shaarli/Shaarli/pull/846 PHP's `gzinflate()` fails with an error when being passed an empty string See: - https://bugs.php.net/bug.php?id=71395 Signed-off-by: VirtualTam --- application/FileUtils.php | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/application/FileUtils.php b/application/FileUtils.php index a167f64..918cb83 100644 --- a/application/FileUtils.php +++ b/application/FileUtils.php @@ -50,7 +50,8 @@ class FileUtils /** * Read data from a file containing Shaarli database format content. - * If the file isn't readable or doesn't exists, default data will be returned. + * + * If the file isn't readable or doesn't exist, default data will be returned. * * @param string $file File path. * @param mixed $default The default value to return if the file isn't readable. @@ -61,16 +62,21 @@ class FileUtils { // Note that gzinflate is faster than gzuncompress. // See: http://www.php.net/manual/en/function.gzdeflate.php#96439 - if (is_readable($file)) { - return unserialize( - gzinflate( - base64_decode( - substr(file_get_contents($file), strlen(self::$phpPrefix), -strlen(self::$phpSuffix)) - ) - ) - ); + if (! is_readable($file)) { + return $default; } - return $default; + $data = file_get_contents($file); + if ($data == '') { + return $default; + } + + return unserialize( + gzinflate( + base64_decode( + substr($data, strlen(self::$phpPrefix), -strlen(self::$phpSuffix)) + ) + ) + ); } }