Fixed bug #15772: template::getHtmlTemplate() doesn't allow absolute file paths...
authorSusanne Moog <typo3@susannemoog.de>
Thu, 7 Oct 2010 18:03:55 +0000 (18:03 +0000)
committerSusanne Moog <typo3@susannemoog.de>
Thu, 7 Oct 2010 18:03:55 +0000 (18:03 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@9007 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/template.php

index f9892e8..7bdf40d 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2010-10-07  Susanne Moog  <typo3@susanne-moog.de>
+
+       *  Fixed bug #15772:  template::getHtmlTemplate() doesn't allow absolute file paths (thanks to Jigal van Hemert and Peter Russ)
+
 2010-10-06  Stanislas Rolland  <typo3@sjbr.ca>
 
        * Follow-up to bug #15880: htmlArea RTE: Context menu not working in TYPO3 4.4.3 and 4.5-dev
index e011d52..d107f76 100644 (file)
@@ -2022,12 +2022,18 @@ $str.=$this->docBodyTagBegin().
                if ($GLOBALS['TBE_STYLES']['htmlTemplates'][$filename]) {
                        $filename = $GLOBALS['TBE_STYLES']['htmlTemplates'][$filename];
                }
-               if (substr($filename,0,4) != 'EXT:') {
+               if (t3lib_div::isFirstPartOfStr($filename, 'EXT:')) {
+                       $filename = t3lib_div::getFileAbsFileName($filename, TRUE, TRUE);
+               } else if (!t3lib_div::isAbsPath($filename)) {
                        $filename = t3lib_div::resolveBackPath($this->backPath . $filename);
-               } else {
-                       $filename = t3lib_div::getFileAbsFileName($filename, true, true);
+               } else if (!t3lib_div::isAllowedAbsPath($filename)) {
+                       $filename = '';
+               }
+               $htmlTemplate = '';
+               if ($filename !== '') {
+                       $htmlTemplate = t3lib_div::getURL($filename);
                }
-               return t3lib_div::getURL($filename);
+               return $htmlTemplate;
        }
 
        /**