Merge pull request #7260 from ndm2/2.7-fix-path-traversal-protection-for-win-os

Fix path traversal check for Windows based systems

lib/Cake/Network/CakeResponse.php

@@ -1337,7 +1337,7 @@ class CakeResponse {
 			'download' => null
 		);
 
-		if (strpos($path, '..' . DS) !== false) {
+		if (strpos($path, '../') !== false || strpos($path, '..\\') !== false) {
 			throw new NotFoundException(__d(
 				'cake_dev',
 				'The requested file contains `..` and will not be read.'

lib/Cake/Test/Case/Network/CakeResponseTest.php

@@ -1167,17 +1167,29 @@ class CakeResponseTest extends CakeTestCase {
 	}
 
 /**
- * test file with ..
+ * test file with ../
  *
  * @expectedException NotFoundException
  * @expectedExceptionMessage The requested file contains `..` and will not be read.
  * @return void
  */
-	public function testFileWithPathTraversal() {
+	public function testFileWithForwardSlashPathTraversal() {
 		$response = new CakeResponse();
 		$response->file('my/../cat.gif');
 	}
 
+/**
+ * test file with ..\
+ *
+ * @expectedException NotFoundException
+ * @expectedExceptionMessage The requested file contains `..` and will not be read.
+ * @return void
+ */
+	public function testFileWithBackwardSlashPathTraversal() {
+		$response = new CakeResponse();
+		$response->file('my\..\cat.gif');
+	}
+
 /**
  * Although unlikely, a file may contain dots in its filename.
  * This should be allowed, as long as the dots doesn't specify a path (../ or ..\)