Merge pull request #5905 from davidsteinsland/fix_file_response_dots

Fix file response dots
2024-11-15 03:18:26 +00:00 · 2015-03-09 21:54:02 -04:00 · 2015-03-09 21:54:02 -04:00 · 43f16f38f0
commit 43f16f38f0
parent b4f78572fc 463fa660bc
2 changed files with 15 additions and 1 deletions
--- a/lib/Cake/Network/CakeResponse.php
+++ b/lib/Cake/Network/CakeResponse.php
@ -1336,7 +1336,7 @@ class CakeResponse {
 			'download' => null
 		);

-		if (strpos($path, '..') !== false) {
+		if (strpos($path, '../') !== false || strpos($path, '..\\') !== false) {
 			throw new NotFoundException(__d(
 				'cake_dev',
 				'The requested file contains `..` and will not be read.'
--- a/lib/Cake/Test/Case/Network/CakeResponseTest.php
+++ b/lib/Cake/Test/Case/Network/CakeResponseTest.php
@ -1170,6 +1170,7 @@ class CakeResponseTest extends CakeTestCase {
 * test file with ..
 *
 * @expectedException NotFoundException
+ * @expectedExceptionMessage The requested file contains `..` and will not be read.
 * @return void
 */
 	public function testFileWithPathTraversal() {
@ -1177,6 +1178,19 @@ class CakeResponseTest extends CakeTestCase {
 		$response->file('my/../cat.gif');
 	}

+/**
+ * Although unlikely, a file may contain dots in its filename.
+ * This should be allowed, as long as the dots doesn't specify a path (../ or ..\)
+ *
+ * @expectedException NotFoundException
+ * @execptedExceptionMessageRegExp #The requested file .+my/Some..cat.gif was not found or not readable#
+ * @return void
+ */
+	public function testFileWithDotsInFilename() {
+		$response = new CakeResponse();
+		$response->file('my/Some..cat.gif');
+	}
+
 /**
 * testFile method
 *