Fix ext.php: Restrict valid paths in ext.php for extensions (#7479)

* Fix ext.php: Restrict valid paths in ext.php for extensions
Rework https://github.com/FreshRSS/FreshRSS/pull/7474

* Fix wrong variable

1 files changed, 7 insertions, 4 deletions

diff --git a/p/ext.php b/p/ext.php
index dbd9a8cbb..30b5b1503 100644
--- a/p/ext.php
+++ b/p/ext.php
@@ -78,10 +78,8 @@ function is_valid_path_extension(string $path, string $extensionPath, bool $isSt
  * @return bool true if it can be served, false otherwise.
  */
 function is_valid_path(string $path): bool {
-	return !str_contains($path, '..') && !str_starts_with($path, '/') && !str_starts_with($path, '\\') && (
-		is_valid_path_extension($path, CORE_EXTENSIONS_PATH) ||
-		is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH) ||
-		is_valid_path_extension($path, USERS_PATH, false));
+	return is_valid_path_extension($path, CORE_EXTENSIONS_PATH) || is_valid_path_extension($path, THIRDPARTY_EXTENSIONS_PATH)
+		|| is_valid_path_extension($path, USERS_PATH, false);
 }
 
 function sendBadRequestResponse(?string $message = null): never {
@@ -105,6 +103,11 @@ if (empty(SUPPORTED_TYPES[$file_type]) ||
 	sendBadRequestResponse('File type is not supported.');
 }
 
+// Forbid absolute paths and path traversal
+if (str_contains($file_name, '..') || str_starts_with($file_name, '/') || str_starts_with($file_name, '\\')) {
+	sendBadRequestResponse('File is not supported.');
+}
+
 $absolute_filename = get_absolute_filename($file_name);
 if (!is_valid_path($absolute_filename)) {
 	sendBadRequestResponse('File is not supported.');