Merge pull request #106 from RamadhanAmizudin/master

Update theme_assets.php

htdocs/application/controllers/theme_assets.php

@@ -23,7 +23,7 @@ class Theme_assets extends CI_Controller
 	function css() 
 	{
 		$css_file = $this->uri->segment(4);
-
+		$css_file = basename( $css_file ); // Fix LFI Vulnerability
 		//file path
 		$file_path = 'themes/' . $this->theme . '/css/' . $css_file;
 
@@ -34,6 +34,11 @@ class Theme_assets extends CI_Controller
 			$file_path = 'themes/default/css/' . $css_file;
 		}
 		
+		// Double checking file
+		if( !file_exists( $file_path ) ) {
+			return false;
+		}
+
 		//send
 		header('Content-type: text/css');
 		$this->_expires_header(1);
@@ -43,7 +48,7 @@ class Theme_assets extends CI_Controller
 	function images() 
 	{
 		$image_file = $this->uri->segment(4);
-
+		$image_file = basename( $image_file );
 		//file path
 		$file_path = 'themes/' . $this->theme . '/images/' . $image_file;
 
@@ -54,6 +59,10 @@ class Theme_assets extends CI_Controller
 			$file_path = 'themes/default/images/' . $image_file;
 		}
 		
+		// double checking file
+		if( !file_exists( $file_path ) ) {
+			return false;
+		}
 		//send
 		$size = getimagesize($file_path);
 		header('Content-type: ' . $size['mime']);