From 6f68049bf507783c5f278eccbd0c807a0ecc45c3 Mon Sep 17 00:00:00 2001
From: mark_story <mark@mark-story.com>
Date: Wed, 23 Apr 2014 22:20:14 -0400
Subject: [PATCH] Reject file paths containing `..`.

Paths containing `..` are generally up to no good. Throw an exception,
as developers can use realpath() if they really need to get relative
paths.

Fixes #3370
---
 lib/Cake/Network/CakeResponse.php               |  7 +++++++
 lib/Cake/Test/Case/Network/CakeResponseTest.php | 11 +++++++++++
 2 files changed, 18 insertions(+)

diff --git a/lib/Cake/Network/CakeResponse.php b/lib/Cake/Network/CakeResponse.php
index bb57265e2..d5f2dc869 100644
--- a/lib/Cake/Network/CakeResponse.php
+++ b/lib/Cake/Network/CakeResponse.php
@@ -1259,6 +1259,13 @@ class CakeResponse {
 			'download' => null
 		);
 
+		if (strpos($path, '..') !== false) {
+			throw new NotFoundException(__d(
+				'cake_dev',
+				'The requested file contains `..` and will not be read.'
+			));
+		}
+
 		if (!is_file($path)) {
 			$path = APP . $path;
 		}
diff --git a/lib/Cake/Test/Case/Network/CakeResponseTest.php b/lib/Cake/Test/Case/Network/CakeResponseTest.php
index 16326ea4d..c9fb23a14 100644
--- a/lib/Cake/Test/Case/Network/CakeResponseTest.php
+++ b/lib/Cake/Test/Case/Network/CakeResponseTest.php
@@ -1075,6 +1075,17 @@ class CakeResponseTest extends CakeTestCase {
 		$response->file('/some/missing/folder/file.jpg');
 	}
 
+/**
+ * test file with ..
+ *
+ * @expectedException NotFoundException
+ * @return void
+ */
+	public function testFileWithPathTraversal() {
+		$response = new CakeResponse();
+		$response->file('my/../cat.gif');
+	}
+
 /**
  * testFile method
  *