Merge branch 'dev'

Author: Tam

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.0.4 - 2021-07-09 [CRITICAL]
+### Fixed
+- Fix security vulnerability
+
 ## 3.0.3 - 2019-11-25
 ### Fixed
 - Fix error when first file is not `*.log` (via [@sebschaefer](https://github.com/sebschaefer))

composer.json

@@ -1,7 +1,7 @@
 {
   "name": "ether/logs",
   "description": "Access logs from the CP",
-  "version": "3.0.3",
+  "version": "3.0.4",
   "type": "craft-plugin",
   "minimum-stability": "dev",
   "require": {

src/Controller.php

@@ -2,14 +2,20 @@
 
 namespace ether\logs;
 
+use Craft;
+
 class Controller extends \craft\web\Controller
 {
 
 	public function actionStream ()
 	{
-		$logsDir = \Craft::getAlias('@storage/logs');
-		$logFile = \Craft::$app->request->getParam('log');
-		$currentLog = \Craft::$app->request->get('log', $logFile);
+		$logsDir = Craft::getAlias('@storage/logs');
+		$logFile = Craft::$app->request->getParam('log');
+		$currentLog = basename(Craft::$app->request->get('log', $logFile));
+
+		if (strpos($currentLog, '.log') === false)
+			return '<p>You can only access <code>.log</code> files!</p>';
+
 		$log = file_get_contents($logsDir . '/' . $currentLog);
 
 		exit($log);

src/templates/view.twig

@@ -1,9 +1,11 @@
 <form>
-	<select id="__logSwitch">
-		{% for file in logFiles %}
-			<option{{ file == currentLog ? ' selected' }}>{{ file }}</option>
-		{% endfor %}
-	</select>
+	<label class="select">
+		<select id="__logSwitch">
+			{% for file in logFiles %}
+				<option{{ file == currentLog ? ' selected' }}>{{ file }}</option>
+			{% endfor %}
+		</select>
+	</label>
 </form>
 
 <hr style="margin-bottom:0">