improve fix for #109 to ensure themes can access only the directories…

… allowed.
Antergos · Jan 21, 2017 · 0600412 · 0600412
1 parent d55638f
commit 0600412
Showing 1 changed file with 19 additions and 10 deletions.
diff --git a/src/gresource/js/ThemeUtils.js b/src/gresource/js/ThemeUtils.js
@@ -108,16 +108,25 @@ class ThemeUtils {
 		}
 
 		if ( null === allowed_dirs ) {
-			let user = lightdm.users.pop(),
-				user_data_dir = greeter_config.get_str( user.username, 'lightdm_data_dir' ),
-				lightdm_data_dir = user_data_dir.substr( 0, user_data_dir.lastIndexOf('/') );
-
-			allowed_dirs = {
-				themes_dir: greeter_config.get_str( 'greeter', 'themes_dir' ),
-				backgrounds_dir: greeter_config.get_str( 'branding', 'background_images' ),
-				lightdm_data_dir: lightdm_data_dir,
-				tmpdir: '/tmp',
-			};
+			let user             = lightdm.users.pop(),
+				user_data_dir    = greeter_config.get_str( user.username, 'lightdm_data_dir' ),
+				lightdm_data_dir = user_data_dir.substr( 0, user_data_dir.lastIndexOf('/') ),
+				themes_dir       = greeter_config.get_str( 'greeter', 'themes_dir' ),
+				backgrounds_dir  = greeter_config.get_str( 'branding', 'background_images' );
+
+			allowed_dirs = { tmpdir: '/tmp' };
+
+			if ( '' !== lightdm_data_dir ) {
+				allowed_dirs.lightdm_data_dir = lightdm_data_dir;
+			}
+
+			if ( '' !== themes_dir ) {
+				allowed_dirs.themes_dir = themes_dir;
+			}
+
+			if ( '' !== backgrounds_dir ) {
+				allowed_dirs.backgrounds_dir = backgrounds_dir;
+			}
 		}
 
 		if ( ! Object.keys( allowed_dirs ).some( dir => path.startsWith( allowed_dirs[dir] ) ) ) {