mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-25 20:03:12 +03:00
🔐 Restricted reading files from outside the theme directory
closes https://github.com/TryGhost/Product/issues/4191 Without this patch, themes can read arbitrary files from your system and expose them to the internet via the layout feature of express-hbs. For example `{{!< ../../../../config.production.json}}` would spit out config, which can contain secrets. As theme upload is restricted to users with the Admin role, this mostly effects hosting providers which use their own secret keys for e.g. mail or database config
This commit is contained in:
parent
d30a6633ab
commit
07f9564eea
@ -112,7 +112,7 @@ class ActiveTheme {
|
||||
siteApp.cache = {};
|
||||
// Set the views and engine
|
||||
siteApp.set('views', this.path);
|
||||
siteApp.engine('hbs', engine.configure(this.partialsPath));
|
||||
siteApp.engine('hbs', engine.configure(this.partialsPath, this.path));
|
||||
|
||||
this._mounted = true;
|
||||
}
|
||||
|
@ -9,12 +9,13 @@ if (config.get('env') !== 'production') {
|
||||
|
||||
instance.escapeExpression = instance.handlebars.Utils.escapeExpression;
|
||||
|
||||
instance.configure = function configure(partialsPath) {
|
||||
instance.configure = function configure(partialsPath, themePath) {
|
||||
const hbsOptions = {
|
||||
partialsDir: [config.get('paths').helperTemplates],
|
||||
onCompile: function onCompile(exhbs, source) {
|
||||
return exhbs.handlebars.compile(source, {preventIndent: true});
|
||||
}
|
||||
},
|
||||
restrictLayoutsTo: themePath
|
||||
};
|
||||
|
||||
if (partialsPath) {
|
||||
|
@ -178,7 +178,7 @@
|
||||
"downsize": "0.0.8",
|
||||
"express": "4.18.2",
|
||||
"express-brute": "1.0.1",
|
||||
"express-hbs": "2.4.2",
|
||||
"express-hbs": "2.5.0",
|
||||
"express-jwt": "8.4.1",
|
||||
"express-lazy-router": "1.0.6",
|
||||
"express-query-boolean": "2.0.0",
|
||||
|
13
yarn.lock
13
yarn.lock
@ -17345,7 +17345,18 @@ express-brute@1.0.1, express-brute@^1.0.1:
|
||||
long-timeout "~0.1.1"
|
||||
underscore "~1.8.3"
|
||||
|
||||
express-hbs@2.4.2, express-hbs@^2.4.2:
|
||||
express-hbs@2.5.0:
|
||||
version "2.5.0"
|
||||
resolved "https://registry.yarnpkg.com/express-hbs/-/express-hbs-2.5.0.tgz#28ed0b8507bb7bcceb102b63fe863585f13a4d89"
|
||||
integrity sha512-i2O1ZBwKO32KF0MePnkgYHsAAILr9H9Sp5GoGp9JWz/qhsBfTMSq9VF1pN109DHysPX6YO88y7B+f6xnEEF/mg==
|
||||
dependencies:
|
||||
handlebars "^4.7.7"
|
||||
lodash "^4.17.21"
|
||||
readdirp "^3.6.0"
|
||||
optionalDependencies:
|
||||
js-beautify "^1.13.11"
|
||||
|
||||
express-hbs@^2.4.2:
|
||||
version "2.4.2"
|
||||
resolved "https://registry.yarnpkg.com/express-hbs/-/express-hbs-2.4.2.tgz#9bc18a08d89eea2aaea94b2e5c38859e86a99019"
|
||||
integrity sha512-lFtWrsAGprvzPrVlfNE6WGJnyE+o/UxsTpl2CWcJt1CRYaUwht9+BkfKOWqs+xG0zhhRAm/bsYEyQ4EwA+ovSw==
|
||||
|
Loading…
Reference in New Issue
Block a user