Fixed an information disclosure vulnerability

craftcms · Oct 21, 2024 · 3ee85a4 · 3ee85a4
1 parent 147c748
commit 3ee85a4
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 - Fixed a bug where admin table header cells weren’t indicating when they were sorted. ([#15897](https://github.com/craftcms/cms/issues/15897))
 - Fixed an error that occurred when creating a database backup, if the System Name contained any quote-like characters. ([#15933](https://github.com/craftcms/cms/issues/15933))
+- Fixed an information disclosure vulnerability.
 
 ## 4.12.7 - 2024-10-15
 

diff --git a/src/helpers/Html.php b/src/helpers/Html.php
@@ -992,6 +992,12 @@ public static function dataUrl(string $file, ?string $mimeType = null): string
 
         $file = FileHelper::absolutePath(Craft::getAlias($file), '/');
 
+        // make sure it's contained within the project rot
+        $rootPath = FileHelper::absolutePath(Craft::getAlias('@root'), '/');
+        if (!str_starts_with($file, "$rootPath/")) {
+            throw new InvalidArgumentException(sprintf('%s cannot be passed a path outside of the project root.', __METHOD__));
+        }
+
         if (Craft::$app->getSecurity()->isSystemDir(dirname($file))) {
             throw new InvalidArgumentException(sprintf('%s cannot be passed a path within or above system directories.', __METHOD__));
         }