From d685c1872046262c9180de23a74516c231bad203 Mon Sep 17 00:00:00 2001 From: phpnut Date: Wed, 25 Nov 2009 12:41:19 -0600 Subject: [PATCH] Adding checks for directory traversal attempts related to recent changes allowing plugins and themes to include their own webroot/* assets --- cake/dispatcher.php | 2 +- cake/libs/configure.php | 35 +++++++++++++----------- cake/tests/cases/dispatcher.test.php | 4 +++ cake/tests/cases/libs/configure.test.php | 3 ++ 4 files changed, 27 insertions(+), 17 deletions(-) diff --git a/cake/dispatcher.php b/cake/dispatcher.php index 2fc5f2b64..8d230515b 100644 --- a/cake/dispatcher.php +++ b/cake/dispatcher.php @@ -600,7 +600,7 @@ class Dispatcher extends Object { * @access public */ function cached($url) { - if (strpos($url, '.')) { + if (strpos($url, '..') === false && strpos($url, '.')) { if (strpos($url, 'ccss/') === 0) { include WWW_ROOT . DS . Configure::read('Asset.filter.css'); $this->_stop(); diff --git a/cake/libs/configure.php b/cake/libs/configure.php index e41afbae8..b60ba74a0 100644 --- a/cake/libs/configure.php +++ b/cake/libs/configure.php @@ -235,22 +235,25 @@ class Configure extends Object { if ($plugin) { $pluginPath = App::pluginPath($plugin); } - - if ($pluginPath && file_exists($pluginPath . 'config' . DS . $fileName . '.php')) { - include($pluginPath . 'config' . DS . $fileName . '.php'); - $found = true; - } elseif (file_exists(CONFIGS . $fileName . '.php')) { - include(CONFIGS . $fileName . '.php'); - $found = true; - } elseif (file_exists(CACHE . 'persistent' . DS . $fileName . '.php')) { - include(CACHE . 'persistent' . DS . $fileName . '.php'); - $found = true; - } else { - foreach (App::core('cake') as $key => $path) { - if (file_exists($path . DS . 'config' . DS . $fileName . '.php')) { - include($path . DS . 'config' . DS . $fileName . '.php'); - $found = true; - break; + $pos = strpos($fileName, '..'); + + if ($pos === false) { + if ($pluginPath && file_exists($pluginPath . 'config' . DS . $fileName . '.php')) { + include($pluginPath . 'config' . DS . $fileName . '.php'); + $found = true; + } elseif (file_exists(CONFIGS . $fileName . '.php')) { + include(CONFIGS . $fileName . '.php'); + $found = true; + } elseif (file_exists(CACHE . 'persistent' . DS . $fileName . '.php')) { + include(CACHE . 'persistent' . DS . $fileName . '.php'); + $found = true; + } else { + foreach (App::core('cake') as $key => $path) { + if (file_exists($path . DS . 'config' . DS . $fileName . '.php')) { + include($path . DS . 'config' . DS . $fileName . '.php'); + $found = true; + break; + } } } } diff --git a/cake/tests/cases/dispatcher.test.php b/cake/tests/cases/dispatcher.test.php index 396cf267a..1029ab543 100644 --- a/cake/tests/cases/dispatcher.test.php +++ b/cake/tests/cases/dispatcher.test.php @@ -1786,6 +1786,10 @@ class DispatcherTest extends CakeTestCase { $Dispatcher =& new TestDispatcher(); $debug = Configure::read('debug'); Configure::write('debug', 0); + ob_start(); + $Dispatcher->dispatch('theme/test_theme/../webroot/css/test_asset.css'); + $result = ob_get_clean(); + $this->assertEqual(null, $result); ob_start(); $Dispatcher->dispatch('theme/test_theme/flash/theme_test.swf'); diff --git a/cake/tests/cases/libs/configure.test.php b/cake/tests/cases/libs/configure.test.php index 739197224..40a761932 100644 --- a/cake/tests/cases/libs/configure.test.php +++ b/cake/tests/cases/libs/configure.test.php @@ -222,6 +222,9 @@ class ConfigureTest extends CakeTestCase { $result = Configure::load('config'); $this->assertTrue($result === null); + + $result = Configure::load('../../index'); + $this->assertFalse($result); } /**