Ticket #7417 (closed defect (bug): fixed)

Opened 4 years ago

Last modified 4 years ago

Theme preview fails when Theme forlder contain "."(dot)

Reported by: supremecolor Owned by: anonymous
Priority: normal Milestone: 2.6.1
Component: Template Version: 2.6
Severity: normal Keywords: theme, preview
Cc:

Description

If the theme directory's name has dot(.) in it, the admin theme preview will show blank page.

for example, rename the default theme directory to "defau.lt", and click to preview the theme in admin area, it shows blank page.

Change History

comment:1   mrmist4 years ago

Confirming this (with 2.6)

I'm not really sure why anyone would want to have a directory with a . in it, and I expect that there may be some security implications in it.

That said, since the theme itself works regardless of the . then the preview image should work, too.

comment:2   santosj4 years ago

  • Milestone set to 2.7

Security? The exploit I can think of is '../../../to/public/folder/with/whatever/'. Periods are legal in folder names. '../' Should be stripped, not '.'.

comment:3   ryan4 years ago

  • Status changed from new to closed
  • Resolution set to fixed
  • Milestone changed from 2.7 to 2.6.1

[8485] and [8486]

Note: See TracTickets for help on using tickets.