Fix security issue allowing a user to view any file on the system

Tam · Tam · commit ef0581db1ae4 · 2019-06-03T12:13:47.000+01:00
Fixes #2
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,6 @@
+## 3.0.1 - 2019-06-03
+### Fixed
+- Fix security issue allowing a user to view any file on the system #2
+
+## 3.0.0 - 2017-12-01
+Initial Release
diff --git a/composer.json b/composer.json
@@ -1,7 +1,7 @@
 {
   "name": "ether/logs",
   "description": "Access logs from the CP",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "type": "craft-plugin",
   "minimum-stability": "dev",
   "require": {
diff --git a/src/Utility.php b/src/Utility.php
@@ -41,7 +41,10 @@ function ($var) {
 		if (!count($logFiles))
 			return '<p>You don\'t have any log files.</p>';
 
-		$currentLog = Craft::$app->request->get('log', $logFiles[0]);
+		$currentLog = basename(Craft::$app->request->get('log', $logFiles[0]));
+
+		if (strpos($currentLog, '.log') === false)
+			return '<p>You can only access <code>.log</code> files!</p>';
 
 		$url = explode('?log', Craft::$app->request->url)[0];
 

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "ether/logs",`
`3`	`3`	`"description": "Access logs from the CP",`
`4`		`- "version": "3.0.0",`
	`4`	`+ "version": "3.0.1",`
`5`	`5`	`"type": "craft-plugin",`
`6`	`6`	`"minimum-stability": "dev",`
`7`	`7`	`"require": {`