adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2024-11-15 03:18:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Ignore asset requests containing %2e in them.

Browse source 
urldecode URI's early to avoid issues with encoded `.` characters.
This commit is contained in:
mark_story 2013-07-16 13:14:27 -04:00
parent b873186468
commit d4db64ff26
2 changed files with 47 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/Cake/Routing/Filter/AssetDispatcher.php
View file

@ -42,7 +42,7 @@ class AssetDispatcher extends DispatcherFilter {
* @return CakeResponse if the client is requesting a recognized asset, null otherwise * @return CakeResponse if the client is requesting a recognized asset, null otherwise
*/ */
public function beforeDispatch(CakeEvent $event) { public function beforeDispatch(CakeEvent $event) {
$url = $event->data['request']->url; $url = urldecode($event->data['request']->url);
if (strpos($url, '..') !== false || strpos($url, '.') === false) { if (strpos($url, '..') !== false || strpos($url, '.') === false) {
return; return;
} }
@ -118,7 +118,7 @@ class AssetDispatcher extends DispatcherFilter {
if ($parts[0] === 'theme') { if ($parts[0] === 'theme') {
$themeName = $parts[1]; $themeName = $parts[1];
unset($parts[0], $parts[1]); unset($parts[0], $parts[1]);
$fileFragment = urldecode(implode(DS, $parts)); $fileFragment = implode(DS, $parts);
$path = App::themePath($themeName) . 'webroot' . DS; $path = App::themePath($themeName) . 'webroot' . DS;
return $path . $fileFragment; return $path . $fileFragment;
} }
@ -126,7 +126,7 @@ class AssetDispatcher extends DispatcherFilter {
$plugin = Inflector::camelize($parts[0]); $plugin = Inflector::camelize($parts[0]);
if ($plugin && CakePlugin::loaded($plugin)) { if ($plugin && CakePlugin::loaded($plugin)) {
unset($parts[0]); unset($parts[0]);
$fileFragment = urldecode(implode(DS, $parts)); $fileFragment = implode(DS, $parts);
$pluginWebroot = CakePlugin::path($plugin) . 'webroot' . DS; $pluginWebroot = CakePlugin::path($plugin) . 'webroot' . DS;
return $pluginWebroot . $fileFragment; return $pluginWebroot . $fileFragment;
} }

44
lib/Cake/Test/Case/Routing/Filter/AssetDispatcherTest.php
View file

@ -143,4 +143,48 @@ class AssetDispatcherTest extends CakeTestCase {
$this->assertFalse($event->isStopped()); $this->assertFalse($event->isStopped());
} }
/**
* Test that attempts to traverse directories are prevented.
*
* @return void
*/
public function test404OnDoubleDot() {
App::build(array(
'Plugin' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'Plugin' . DS),
'View' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'View' . DS)
), APP::RESET);
$response = $this->getMock('CakeResponse', array('_sendHeader'));
$request = new CakeRequest('theme/test_theme/../../../../../../VERSION.txt');
$event = new CakeEvent('Dispatcher.beforeRequest', $this, compact('request', 'response'));
$response->expects($this->never())->method('send');
$filter = new AssetDispatcher();
$this->assertNull($filter->beforeDispatch($event));
$this->assertFalse($event->isStopped());
}
/**
* Test that attempts to traverse directories with urlencoded paths fail.
*
* @return void
*/
public function test404OnDoubleDotEncoded() {
App::build(array(
'Plugin' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'Plugin' . DS),
'View' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'View' . DS)
), APP::RESET);
$response = $this->getMock('CakeResponse', array('_sendHeader', 'send'));
$request = new CakeRequest('theme/test_theme/%2e./%2e./%2e./%2e./%2e./%2e./VERSION.txt');
$event = new CakeEvent('Dispatcher.beforeRequest', $this, compact('request', 'response'));
$response->expects($this->never())->method('send');
$filter = new AssetDispatcher();
$this->assertNull($filter->beforeDispatch($event));
$this->assertFalse($event->isStopped());
}
} }