From 6216e485e66dbfbe652c48cb7f141b9f6bb1b5ea Mon Sep 17 00:00:00 2001
From: oyvind Gjesdal <oyvind@localhost.localdomain>
Date: Fri, 9 Jul 2021 22:22:32 +0200
Subject: [PATCH] if outside either paths, send404

---
 classes/modules/staticModule.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/classes/modules/staticModule.php b/classes/modules/staticModule.php
index 51f51ec2..4ce161df 100644
--- a/classes/modules/staticModule.php
+++ b/classes/modules/staticModule.php
@@ -30,8 +30,8 @@ class StaticModule extends abstractModule{
     $imgdir = realpath($conf['static']['directory'] . "img");
     $resourcepath = realpath($conf['static']['directory'].$file);
 
-    // static resources should be in static or img dir (img may be symlinked)
-    if (not(strpos($resourcepath, $staticdir)=== 0 or strpos($resourcepath, $imgdir)=== 0)) {
+    // static resources should be in static or img dir (img may be symlinked, check realpath of img as well)
+    if (strpos($resourcepath, $staticdir)!== 0 and strpos($resourcepath, $imgdir)!== 0) {
     	HTTPStatus::send404($file); // send404 calls exit();//
         }
         $filenamearray =explode(".",$file);
-- 
GitLab