From 8fe953548c65b85cf1a919709047fe273d932339 Mon Sep 17 00:00:00 2001 From: ndm2 Date: Wed, 19 Aug 2015 16:47:53 +0200 Subject: [PATCH] Fix path traversal check for Windows based systems On Windows based systems, both, backward as well as forward slashes are supported as path separators, thus checking for `DS` only, would allow to slip in `../` fragments. refs #5905, cad57dcc28ed9996b52e681ae06d62bc7b5c79c0 --- lib/Cake/Network/CakeResponse.php | 2 +- lib/Cake/Test/Case/Network/CakeResponseTest.php | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lib/Cake/Network/CakeResponse.php b/lib/Cake/Network/CakeResponse.php index 3c5a3c46a..a19299228 100644 --- a/lib/Cake/Network/CakeResponse.php +++ b/lib/Cake/Network/CakeResponse.php @@ -1337,7 +1337,7 @@ class CakeResponse { 'download' => null ); - if (strpos($path, '..' . DS) !== false) { + if (strpos($path, '../') !== false || strpos($path, '..\\') !== false) { throw new NotFoundException(__d( 'cake_dev', 'The requested file contains `..` and will not be read.' diff --git a/lib/Cake/Test/Case/Network/CakeResponseTest.php b/lib/Cake/Test/Case/Network/CakeResponseTest.php index 41e2eba07..6abe8c97b 100644 --- a/lib/Cake/Test/Case/Network/CakeResponseTest.php +++ b/lib/Cake/Test/Case/Network/CakeResponseTest.php @@ -1167,17 +1167,29 @@ class CakeResponseTest extends CakeTestCase { } /** - * test file with .. + * test file with ../ * * @expectedException NotFoundException * @expectedExceptionMessage The requested file contains `..` and will not be read. * @return void */ - public function testFileWithPathTraversal() { + public function testFileWithForwardSlashPathTraversal() { $response = new CakeResponse(); $response->file('my/../cat.gif'); } +/** + * test file with ..\ + * + * @expectedException NotFoundException + * @expectedExceptionMessage The requested file contains `..` and will not be read. + * @return void + */ + public function testFileWithBackwardSlashPathTraversal() { + $response = new CakeResponse(); + $response->file('my\..\cat.gif'); + } + /** * Although unlikely, a file may contain dots in its filename. * This should be allowed, as long as the dots doesn't specify a path (../ or ..\)