static/img: Make sure to correctly access module images

fixes #4226 (cherry picked from commit 3035efa)
Icinga · Aug 14, 2020 · c6baff2 · c6baff2
1 parent 999e76e
commit c6baff2
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/application/controllers/StaticController.php b/application/controllers/StaticController.php
@@ -68,16 +68,16 @@ public function gravatarAction()
      */
     public function imgAction()
     {
-        $moduleRoot = Icinga::app()
+        $imgRoot = Icinga::app()
             ->getModuleManager()
             ->getModule($this->getParam('module_name'))
-            ->getBaseDir();
+            ->getBaseDir() . '/public/img/';
 
         $file = $this->getParam('file');
-        $filePath = realpath($moduleRoot . '/public/img/' . $file);
+        $filePath = realpath($imgRoot . $file);
 
-        if ($filePath === false) {
-            $this->httpNotFound('%s does not exist', $filePath);
+        if ($filePath === false || substr($filePath, 0, strlen($imgRoot)) !== $imgRoot) {
+            $this->httpNotFound('%s does not exist', $file);
         }
 
         if (preg_match('/\.([a-z]+)$/i', $file, $m)) {