| | |
|---|
| | | */ |
|---|
| | | public function set_skin($skin) |
|---|
| | | { |
|---|
| | | // Sanity check to prevent from path traversal vulnerability (#1490620) |
|---|
| | | if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) { |
|---|
| | | rcube::raise_error(array( |
|---|
| | | 'file' => __FILE__, |
|---|
| | | 'line' => __LINE__, |
|---|
| | | 'message' => 'Invalid skin name' |
|---|
| | | ), true, false); |
|---|
| | | |
|---|
| | | return false; |
|---|
| | | } |
|---|
| | | |
|---|
| | | $valid = false; |
|---|
| | | $path = RCUBE_INSTALL_PATH . 'skins/'; |
|---|
| | | |
|---|
| | |
|---|
| | | } |
|---|
| | | $valid = !$skin; |
|---|
| | | } |
|---|
| | | |
|---|
| | | $skin_path = rtrim($skin_path, '/'); |
|---|
| | | |
|---|
| | | $this->config->set('skin_path', $skin_path); |
|---|
| | | $this->base_path = $skin_path; |
|---|
| | |
|---|
| | | $attrib['name'] = $this->eval_expression($attrib['expression']); |
|---|
| | | |
|---|
| | | if ($attrib['name'] || $attrib['command']) { |
|---|
| | | // @FIXME: 'noshow' is useless, remove? |
|---|
| | | if ($attrib['noshow']) { |
|---|
| | | return ''; |
|---|
| | | } |
|---|
| | | |
|---|
| | | $vars = $attrib + array('product' => $this->config->get('product_name')); |
|---|
| | | unset($vars['name'], $vars['command']); |
|---|
| | | |
|---|
| | | $label = $this->app->gettext($attrib + array('vars' => $vars)); |
|---|
| | | $quoting = !empty($attrib['quoting']) ? strtolower($attrib['quoting']) : (rcube_utils::get_boolean((string)$attrib['html']) ? 'no' : ''); |
|---|
| | | |
|---|
| | | // 'noshow' can be used in skins to define new labels |
|---|
| | | if ($attrib['noshow']) { |
|---|
| | | return ''; |
|---|
| | | } |
|---|
| | | |
|---|
| | | switch ($quoting) { |
|---|
| | | case 'no': |
|---|
| | | case 'raw': |
|---|
