PicoDeprecated: Sanitize content_dir and base_url options when reading config.php in Picos root dir

CHANGELOG.md

@@ -10,6 +10,8 @@ Released: -
 * [New] New `markdown` filter for Twig to parse markdown strings; Note: If you
         want to parse the contents of a page, use the `content` filter instead
 * [Changed] Reuse `ParsedownExtra` object; new `onParsedownRegistration` event
+* [Fixed] `PicoDeprecated`: Sanitize `content_dir` and `base_url` options when
+          reading `config.php` in Picos root dir
 * [Fixed] Replace `urldecode()` (deprecated RFC 1738) with `rawurldecode()`
           (RFC 3986) in `Page::evaluateRequestUrl()`
 * [Fixed] #272: Encode URLs using `rawurlencode()` in `Pico::getPageUrl()`

lib/Pico.php

@@ -446,6 +446,10 @@ class Pico
     protected function loadConfig()
     {
         $config = null;
+        if (file_exists($this->getConfigDir() . 'config.php')) {
+            require($this->getConfigDir() . 'config.php');
+        }
+
         $defaultConfig = array(
             'site_title' => 'Pico',
             'base_url' => '',
@@ -460,11 +464,6 @@ class Pico
             'timezone' => ''
         );
 
-        $configFile = $this->getConfigDir() . 'config.php';
-        if (file_exists($configFile)) {
-            require $configFile;
-        }
-
         $this->config = is_array($this->config) ? $this->config : array();
         $this->config += is_array($config) ? $config + $defaultConfig : $defaultConfig;
 
@@ -1308,7 +1307,7 @@ class Pico
      * @param  string $path relative or absolute path
      * @return string       absolute path
      */
-    protected function getAbsolutePath($path)
+    public function getAbsolutePath($path)
     {
         if (substr($path, 0, 1) !== '/') {
             $path = $this->getRootDir() . $path;

plugins/00-PicoDeprecated.php

@@ -170,11 +170,27 @@ class PicoDeprecated extends AbstractPicoPlugin
     protected function loadRootDirConfig(&$realConfig)
     {
         if (file_exists($this->getRootDir() . 'config.php')) {
-            // config.php in Pico::$rootDir is deprecated; use Pico::$configDir instead
+            // config.php in Pico::$rootDir is deprecated
+            // use config.php in Pico::$configDir instead
             $config = null;
             require($this->getRootDir() . 'config.php');
 
             if (is_array($config)) {
+                if (array_key_exists('base_url', $config)) {
+                    if (!empty($config['base_url'])) {
+                        $config['base_url'] = rtrim($config['base_url'], '/') . '/';
+                    } else {
+                        unset($config['base_url']);
+                    }
+                }
+                if (array_key_exists('content_dir', $config)) {
+                    if (!empty($config['content_dir'])) {
+                        $config['content_dir'] = $this->getAbsolutePath($config['content_dir']);
+                    } else {
+                        unset($config['content_dir']);
+                    }
+                }
+
                 $realConfig = $config + $realConfig;
             }
         }