Fix path traversal check for Windows based systems

On Windows based systems, both, backward as well as forward slashes are supported as path separators, thus checking for `DS` only, would allow to slip in `../` fragments. refs #5905, cad57dcc28
2025-01-18 18:46:17 +00:00 · 2015-08-19 16:47:53 +02:00 · 2015-08-19 16:47:53 +02:00 · 8fe953548c
commit 8fe953548c
parent daa795dfd3
2 changed files with 15 additions and 3 deletions
--- a/lib/Cake/Network/CakeResponse.php
+++ b/lib/Cake/Network/CakeResponse.php
@ -1337,7 +1337,7 @@ class CakeResponse {
 			'download' => null
 		);

-		if (strpos($path, '..' . DS) !== false) {
+		if (strpos($path, '../') !== false || strpos($path, '..\\') !== false) {
 			throw new NotFoundException(__d(
 				'cake_dev',
 				'The requested file contains `..` and will not be read.'
--- a/lib/Cake/Test/Case/Network/CakeResponseTest.php
+++ b/lib/Cake/Test/Case/Network/CakeResponseTest.php
@ -1167,17 +1167,29 @@ class CakeResponseTest extends CakeTestCase {
 	}

 /**
- * test file with ..
+ * test file with ../
 *
 * @expectedException NotFoundException
 * @expectedExceptionMessage The requested file contains `..` and will not be read.
 * @return void
 */
-	public function testFileWithPathTraversal() {
+	public function testFileWithForwardSlashPathTraversal() {
 		$response = new CakeResponse();
 		$response->file('my/../cat.gif');
 	}

+/**
+ * test file with ..\
+ *
+ * @expectedException NotFoundException
+ * @expectedExceptionMessage The requested file contains `..` and will not be read.
+ * @return void
+ */
+	public function testFileWithBackwardSlashPathTraversal() {
+		$response = new CakeResponse();
+		$response->file('my\..\cat.gif');
+	}
+
 /**
 * Although unlikely, a file may contain dots in its filename.
 * This should be allowed, as long as the dots doesn't specify a path (../ or ..\)