Security patch.

Changelog excerpt:
- Improved the safeguards for getAssetPath.

Author: Maikuolan

Changelog.md

@@ -200,6 +200,9 @@ __*Why "v3.0.0" instead of "v1.0.0?"*__ Prior to phpMussel v3, the "phpMussel Co
 - [2025.07.07]: The formatFilesize method wasn't accounting for negative numbers; Fixed.
 - [2025.07.26]: Some browsers, in some contexts, were raising errors during request inspection concerning the absence of any X-Content-Type-Options header declaration (though it isn't entirely clear whether this error had any actual effect); Fixed.
 
+#### Security.
+- [2025.08.09]: Improved the safeguards for getAssetPath.
+
 #### Other changes.
 - [2025.07.05]: Aesthetic patch.
 - [2025.07.08]: Added the ability to route all outbound requests through a proxy, and two new configuration directives, `request_proxy` and `request_proxyauth`.

assets/default/_logs.html

@@ -2,10 +2,10 @@
 <tr>
   <td class="nav{mod_class_nav}"><div class="big">
 {nav}    <hr /></div>
-    <div class="ng1 idx">{LogFiles}</div>
+    <div class="ng1 idx">{LogFiles}    </div>
   </td>
   <td class="right{mod_class_right}">
-  <div class="ng1 s flong mob">{LogFiles}</div>
+  <div class="ng1 s flong mob">{LogFiles}  </div>
   <span class="s">{TextModeSwitchLink}{ProcessTime}</span>
   <hr />
 {logfileData}

src/FrontEnd.php

@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Front-end handler (last modified: 2025.08.08).
+ * This file: Front-end handler (last modified: 2025.08.09).
  */
 
 namespace phpMussel\FrontEnd;
@@ -330,6 +330,11 @@ public function view(string $Page = ''): void
             'FormTarget' => $_POST['phpmussel-form-target'] ?? ''
         ];
 
+        /** Fix for immediate display of freshly updated theme selection. */
+        if (!empty($_POST['config_frontend_theme']) && !preg_match('~[^a-z]~', $_POST['config_frontend_theme']) && ($_POST['config_frontend_theme'] === 'default' ?: file_exists($this->AssetsPath . $_POST['config_frontend_theme'] . DIRECTORY_SEPARATOR . 'frontend.css'))) {
+            $FE['theme'] = $_POST['config_frontend_theme'];
+        }
+
         /** Populated by [Home | Log Out] by default; Replaced by [Log Out] for some specific pages (e.g., the homepage). */
         $FE['bNav'] = $FE['HomeButton'] . $FE['LogoutButton'];
 
@@ -388,6 +393,9 @@ public function view(string $Page = ''): void
         /** A simple passthru for the front-end CSS. */
         if ($Page === 'css') {
             $this->eTaggable('frontend.css', function ($AssetData) use (&$FE) {
+                if (!empty($this->QueryVariables['theme-mode'])) {
+                    $FE['theme_mode_effects'] = $this->Loader->ConfigurationDefaults['frontend']['theme_mode']['effects'][$this->QueryVariables['theme-mode']] ?? '';
+                }
                 return $this->embedAssets($this->Loader->parse($FE, $AssetData, true));
             });
         }
@@ -882,6 +890,20 @@ private function filterByDefined(string $ChoiceKey): bool
         return defined($ChoiceKey);
     }
 
+    /**
+     * Traversal detection.
+     *
+     * @param string $Path The path to check for traversal.
+     * @return bool True when the path is traversal-free. False when traversal has been detected.
+     */
+    private function freeFromTraversal(string $Path): bool
+    {
+        return !preg_match(
+            '~(?://|(?<![\da-z])\.\.(?![\da-z])|/\.(?![\da-z])|(?<![\da-z])\./|[\x01-\x1F\[-^`?*$])~i',
+            str_replace('\\', '/', $Path)
+        );
+    }
+
     /**
      * Get the appropriate path for a specified asset as per the defined theme.
      *
@@ -892,8 +914,8 @@ private function filterByDefined(string $ChoiceKey): bool
      */
     private function getAssetPath(string $Asset, bool $CanFail = false): string
     {
-        /** Guard against unsafe paths. */
-        if (preg_match('~[^\da-z._]~i', $Asset)) {
+        /** Guard against unsafe paths and traversal attacks. */
+        if (preg_match('~[^\da-z._]~i', $Asset) || !$this->freeFromTraversal($Asset)) {
             return '';
         }
 
@@ -905,20 +927,20 @@ private function getAssetPath(string $Asset, bool $CanFail = false): string
             }
         }
 
-        /** Non-default assets. */
+        /** Non-default theme assets. */
         if (
             $this->Loader->Configuration['frontend']['theme'] !== 'default' &&
             is_readable($this->AssetsPath . $this->Loader->Configuration['frontend']['theme'] . DIRECTORY_SEPARATOR . $Asset)
         ) {
             return $this->AssetsPath . $this->Loader->Configuration['frontend']['theme'] . DIRECTORY_SEPARATOR . $Asset;
         }
 
-        /** Default assets. */
+        /** Default theme assets. */
         if (is_readable($this->AssetsPath . 'default' . DIRECTORY_SEPARATOR . $Asset)) {
             return $this->AssetsPath . 'default' . DIRECTORY_SEPARATOR . $Asset;
         }
 
-        /** Assets base directory. */
+        /** Front-end assets base directory assets. */
         if (is_readable($this->AssetsPath . $Asset)) {
             return $this->AssetsPath . $Asset;
         }
@@ -1618,6 +1640,9 @@ private function eTaggable(string $Asset, ?callable $Callback = null): void
                 }
                 if ($Success) {
                     $AssetData = $this->Loader->readFile($ThisAsset);
+                    if (is_callable($Callback)) {
+                        $AssetData = $Callback($AssetData);
+                    }
                     $OldETag = $_SERVER['HTTP_IF_NONE_MATCH'] ?? '';
                     $NewETag = hash('sha256', $AssetData) . '-' . strlen($AssetData);
                     header('Last-Modified: ' . gmdate('D, d M Y H:i:s T', filemtime($ThisAsset)));
@@ -1633,9 +1658,6 @@ private function eTaggable(string $Asset, ?callable $Callback = null): void
                     if ($NoSniff) {
                         header('X-Content-Type-Options: nosniff');
                     }
-                    if (is_callable($Callback)) {
-                        $AssetData = $Callback($AssetData);
-                    }
                     echo $AssetData;
                     die;
                 }

src/pages/logs.php

@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: The logs page (last modified: 2025.04.24).
+ * This file: The logs page (last modified: 2025.08.09).
  */
 
 namespace phpMussel\FrontEnd;
@@ -24,13 +24,12 @@
 $FE['FE_Content'] = $this->Loader->parse($FE, $this->Loader->readFile($this->getAssetPath('_logs.html')), true);
 
 /** Initialise array for fetching logs data. */
-$FE['LogFiles'] = ['Files' => $this->logsRecursiveList(), 'Out' => ''];
+$FE['LogFiles'] = ['Files' => $this->logsRecursiveList(), 'Out' => "\n"];
 
 /** Download a log file. */
 if (
-    isset($this->QueryVariables['text-mode'], $this->QueryVariables['logfile']) &&
-    $this->QueryVariables['text-mode'] === 'download' &&
-    isset($FE['LogFiles']['Files'][$this->QueryVariables['logfile']])
+    isset($this->QueryVariables['text-mode'], $this->QueryVariables['logfile'], $FE['LogFiles']['Files'][$this->QueryVariables['logfile']]) &&
+    $this->QueryVariables['text-mode'] === 'download'
 ) {
     header('Content-Type: application/octet-stream');
     header('Content-Transfer-Encoding: Binary');