From 5fd7396e479753b5c967ecffc45e52eac62ca9cc Mon Sep 17 00:00:00 2001 From: David Steinsland Date: Sun, 15 Feb 2015 19:32:33 +0100 Subject: [PATCH] Fixed downloading of files with dots --- lib/Cake/Network/CakeResponse.php | 2 +- .../Test/Case/Network/CakeResponseTest.php | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/lib/Cake/Network/CakeResponse.php b/lib/Cake/Network/CakeResponse.php index b2890b7f1..26bfb83be 100644 --- a/lib/Cake/Network/CakeResponse.php +++ b/lib/Cake/Network/CakeResponse.php @@ -1336,7 +1336,7 @@ class CakeResponse { 'download' => null ); - if (strpos($path, '..') !== false) { + if (strpos($path, '../') !== false || strpos($path, '..\\') !== false) { throw new NotFoundException(__d( 'cake_dev', 'The requested file contains `..` and will not be read.' diff --git a/lib/Cake/Test/Case/Network/CakeResponseTest.php b/lib/Cake/Test/Case/Network/CakeResponseTest.php index 801f08664..22dd7f985 100644 --- a/lib/Cake/Test/Case/Network/CakeResponseTest.php +++ b/lib/Cake/Test/Case/Network/CakeResponseTest.php @@ -1170,6 +1170,7 @@ class CakeResponseTest extends CakeTestCase { * test file with .. * * @expectedException NotFoundException + * @expectedExceptionMessage The requested file contains `..` and will not be read. * @return void */ public function testFileWithPathTraversal() { @@ -1177,6 +1178,24 @@ class CakeResponseTest extends CakeTestCase { $response->file('my/../cat.gif'); } + public function testFileWithDotsInFilename() { + $ok = false; + $file = 'my/Some..cat.gif'; + + try { + $response = new CakeResponse(); + $response->file($file); + } catch (NotFoundException $e) { + if (Configure::read('debug') > 0) { + $ok = $e->getMessage() === sprintf('The requested file %s was not found or not readable', APP . $file); + } else { + $ok = $e->getMessage() === 'The requested file was not found'; + } + } + + $this->assertTrue($ok); + } + /** * testFile method *