summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xlive_css.module22
1 files changed, 22 insertions, 0 deletions
diff --git a/live_css.module b/live_css.module
index 63d3c2a..d2ed092 100755
--- a/live_css.module
+++ b/live_css.module
@@ -216,6 +216,24 @@ function live_css_save() {
// i.e. http://.../css/my_file.css?m1unhm
$sanitized_url = _live_css_sanitize_css_url($href);
+ if (substr($sanitized_url, -4) != '.css' && substr($sanitized_url, -5) != '.less') {
+ echo drupal_json_encode(array(
+ 'result' => 'failure',
+ 'filename' => $path,
+ 'msg' => 'Can\'t save to files without a \'less\' or \'css\' extension!'
+ ));
+ return;
+ }
+
+ if (file_munge_filename($sanitized_url) != $sanitized_url) {
+ echo drupal_json_encode(array(
+ 'result' => 'failure',
+ 'filename' => $path,
+ 'msg' => 'The url used contains a sub-filextension which poses a security threat. Saving not allowed.'
+ ));
+ return;
+ }
+
// File path relative to Drupal installation folder.
global $base_url;
$stripped_url = drupal_substr($sanitized_url, drupal_strlen($base_url) , drupal_strlen($sanitized_url));
@@ -251,6 +269,10 @@ function _live_css_sanitize_css_url($url){
if ($pos !== FALSE) {
$result = substr($url, 0, $pos + 4);
}
+ $pos = strpos($url, '.less?');
+ if ($pos !== FALSE) {
+ $result = substr($url, 0, $pos + 5);
+ }
return $result;
}