From 813a3af19c8918b00ca1067a2c78886fa3bcd9bb Mon Sep 17 00:00:00 2001
From: Mark Story <mark@mark-story.com>
Date: Thu, 22 Apr 2010 23:17:11 -0400
Subject: [PATCH] Fixing security vulnerabilities in the test suite runner.

---
 cake/tests/lib/test_manager.php | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/cake/tests/lib/test_manager.php b/cake/tests/lib/test_manager.php
index 5bfbc6279..6b4a6182d 100644
--- a/cake/tests/lib/test_manager.php
+++ b/cake/tests/lib/test_manager.php
@@ -70,7 +70,7 @@ class TestManager {
 			$this->appTest = true;
 		}
 		if (isset($_GET['plugin'])) {
-			$this->pluginTest = $_GET['plugin'];
+			$this->pluginTest = htmlentities($_GET['plugin']);
 		}
 	}
 
@@ -131,8 +131,11 @@ class TestManager {
 	function runTestCase($testCaseFile, &$reporter, $testing = false) {
 		$testCaseFileWithPath = $this->_getTestsPath() . DS . $testCaseFile;
 
-		if (!file_exists($testCaseFileWithPath)) {
-			trigger_error(sprintf(__('Test case %s cannot be found', true), $testCaseFile), E_USER_ERROR);
+		if (!file_exists($testCaseFileWithPath) || strpos($testCaseFileWithPath, '..')) {
+			trigger_error(
+				sprintf(__("Test case %s cannot be found", true), htmlentities($testCaseFile)),
+				E_USER_ERROR
+			);
 			return false;
 		}
 
@@ -156,8 +159,14 @@ class TestManager {
 	function runGroupTest($groupTestName, &$reporter) {
 		$filePath = $this->_getTestsPath('groups') . DS . strtolower($groupTestName) . $this->_groupExtension;
 
-		if (!file_exists($filePath)) {
-			trigger_error(sprintf(__('Group test %s cannot be found at %s', true), $groupTestName, $filePath), E_USER_ERROR);
+		if (!file_exists($filePath) || strpos($testCaseFileWithPath, '..')) {
+			trigger_error(sprintf(
+					__("Group test %s cannot be found at %s", true), 
+					htmlentities($groupTestName), 
+					htmlentities($filePath)
+				),
+				E_USER_ERROR
+			);
 		}
 
 		require_once $filePath;