Browse Source

Dont check allowed dirs in JavaScript. Doing it on Python side is good enough.

sisyphus
Dustin Falgout 8 years ago
parent
commit
6399b1211c
No known key found for this signature in database
GPG Key ID: AEA529BF122902E5
  1. 42
      web-greeter/resources/js/ThemeUtils.js

42
web-greeter/resources/js/ThemeUtils.js

@ -29,21 +29,9 @@
let localized_invalid_date = null, let localized_invalid_date = null,
time_language = null, time_language = null,
time_format = null, time_format = null,
allowed_dirs = null,
_ThemeUtils = null; _ThemeUtils = null;
function _set_allowed_dirs() {
allowed_dirs = {
themes_dir: lightdm.themes_dir,
backgrounds_dir: greeter_config.branding.background_images_dir,
lightdm_data_dir: lightdm.shared_data_dir,
tmpdir: '/' + 'tmp',
};
}
/** /**
* Provides various utility methods for use in greeter themes. The greeter will automatically * Provides various utility methods for use in greeter themes. The greeter will automatically
* create an instance of this class when it starts. The instance can be accessed * create an instance of this class when it starts. The instance can be accessed
@ -111,14 +99,12 @@ class ThemeUtils {
* @param {function(string[])} callback Callback function to be called with the result. * @param {function(string[])} callback Callback function to be called with the result.
*/ */
dirlist( path, only_images = true, callback ) { dirlist( path, only_images = true, callback ) {
let allowed = false;
if ( '' === path || 'string' !== typeof path ) { if ( '' === path || 'string' !== typeof path ) {
console.log('[ERROR] theme_utils.dirlist(): path must be a non-empty string!'); console.error('[ERROR] theme_utils.dirlist(): path must be a non-empty string!');
return callback([]); return callback([]);
} else if ( null !== path.match(/^[^/].+/) ) { } else if ( null !== path.match(/^[^/].+/) ) {
console.log('[ERROR] theme_utils.dirlist(): path must be absolute!'); console.error('[ERROR] theme_utils.dirlist(): path must be absolute!');
return callback([]); return callback([]);
} }
@ -127,36 +113,14 @@ class ThemeUtils {
path = path.replace(/\/\.+(?=\/)/g, '' ); path = path.replace(/\/\.+(?=\/)/g, '' );
} }
if ( null === allowed_dirs ) {
_set_allowed_dirs();
}
if ( ! Object.keys( allowed_dirs ).some( dir => path.startsWith( allowed_dirs[dir] ) ) ) {
console.log(`[ERROR] theme_utils.dirlist(): path is not allowed: ${path}`);
return callback([]);
}
try { try {
return _ThemeUtils.dirlist( path, only_images, callback ); return _ThemeUtils.dirlist( path, only_images, callback );
} catch( err ) { } catch( err ) {
console.log( `[ERROR] theme_utils.dirlist(): ${err}` ); console.error( `[ERROR] theme_utils.dirlist(): ${err}` );
return callback([]); return callback([]);
} }
} }
/**
* Escape HTML entities in a string.
*
* @param {string} text The text to be escaped.
*
* @returns {string}
*/
esc_html( text ) {
return this.txt2html( text );
}
/** /**
* Get the current time in a localized format. Time format and language are auto-detected * Get the current time in a localized format. Time format and language are auto-detected
* by default, but can be set manually in the greeter config file. * by default, but can be set manually in the greeter config file.

Loading…
Cancel
Save