Skip to content

Commit bb1ce8c

Browse files
kaeizenkaeizen
committed
coderabbit's qa fix
1 parent d298de7 commit bb1ce8c

File tree

1 file changed

+34
-6
lines changed

1 file changed

+34
-6
lines changed

src/compatibility/blocksy/index.php

Lines changed: 34 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -100,8 +100,18 @@ function stackable_sanitize_css_string( $css ) {
100100
$css = preg_replace('/\bexpression\s*\([^)]*\)/i', '', $css);
101101
$css = preg_replace('/\bjavascript\s*:/i', '', $css);
102102

103-
// clean urls
104-
$css = preg_replace('/url\(\s*[\'"]?\s*https?:\/\/[^\'")]+\s*[\'"]?\s*\)/i', 'url("")', $css);
103+
// Only allow URLs from the theme directory
104+
$theme_uri = preg_quote( get_template_directory_uri(), '/' );
105+
$css = preg_replace_callback(
106+
'/url\(\s*[\'"]?\s*(https?:\/\/[^\'")]+)\s*[\'"]?\s*\)/i',
107+
function( $matches ) use ( $theme_uri ) {
108+
if ( preg_match( "/^{$theme_uri}/i", $matches[1] ) ) {
109+
return $matches[0]; // Keep theme URLs
110+
}
111+
return 'url("")'; // Remove others
112+
},
113+
$css
114+
);
105115

106116
// Block unsafe tokens
107117
$css = preg_replace('/\b(?:eval|mocha)\b(\s*:|\s*\()/i', '/* blocked */$1', $css);
@@ -145,10 +155,28 @@ function( $file ) {
145155
foreach ( $blocksy_static_files as $file ) {
146156
if ( isset( $file['url'] ) ) {
147157
$file_path = get_template_directory() . $file['url'];
148-
$mime = mime_content_type( $file_path );
149-
$is_valid_mime = $mime === 'text/css' || $mime === 'text/plain';
150-
if ( file_exists( $file_path ) && is_readable( $file_path ) && $is_valid_mime ) {
151-
$styles .= file_get_contents( $file_path );
158+
159+
// Normalize and validate the path to prevent traversal
160+
$file_url = ltrim( $file['url'], '/' );
161+
$file_path = get_template_directory() . '/' . $file_url;
162+
$file_path = realpath( $file_path );
163+
$theme_dir = realpath( get_template_directory() );
164+
165+
// Ensure the resolved path is within the theme directory
166+
if ( ! $file_path || strpos( $file_path, $theme_dir ) !== 0 ) {
167+
continue;
168+
}
169+
170+
if ( file_exists( $file_path ) && is_readable( $file_path ) ) {
171+
$extension = strtolower( pathinfo( $file_path, PATHINFO_EXTENSION ) );
172+
if ( $extension !== 'css' ) {
173+
continue;
174+
}
175+
$content = file_get_contents( $file_path );
176+
if ( $content !== false ) {
177+
$styles .= $content;
178+
}
179+
152180
}
153181
}
154182
}

0 commit comments

Comments
 (0)