adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2025-01-31 00:48:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Reject file paths containing ...

Browse source 
Paths containing `..` are generally up to no good. Throw an exception,
as developers can use realpath() if they really need to get relative
paths.

Fixes #3370
This commit is contained in:
mark_story 2014-04-23 22:20:14 -04:00
parent 2333c3d535
commit 6f68049bf5
2 changed files with 18 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
lib/Cake/Network/CakeResponse.php
View file

@ -1259,6 +1259,13 @@ class CakeResponse {
'download' => null 'download' => null
); );
if (strpos($path, '..') !== false) {
throw new NotFoundException(__d(
'cake_dev',
'The requested file contains `..` and will not be read.'
));
}
if (!is_file($path)) { if (!is_file($path)) {
$path = APP . $path; $path = APP . $path;
} }

11
lib/Cake/Test/Case/Network/CakeResponseTest.php
View file

@ -1075,6 +1075,17 @@ class CakeResponseTest extends CakeTestCase {
$response->file('/some/missing/folder/file.jpg'); $response->file('/some/missing/folder/file.jpg');
} }
/**
* test file with ..
*
* @expectedException NotFoundException
* @return void
*/
public function testFileWithPathTraversal() {
$response = new CakeResponse();
$response->file('my/../cat.gif');
}
/** /**
* testFile method * testFile method
* *