adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2025-02-07 12:36:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Adding checks for directory traversal attempts related to recent changes allowing plugins and themes to include their own webroot/* assets

Browse source
This commit is contained in:
phpnut 2009-11-25 12:41:19 -06:00
parent 49c11a8219
commit d685c18720
4 changed files with 27 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
cake/dispatcher.php
View file

@ -600,7 +600,7 @@ class Dispatcher extends Object {
* @access public * @access public
*/ */
function cached($url) { function cached($url) {
if (strpos($url, '.')) { if (strpos($url, '..') === false && strpos($url, '.')) {
if (strpos($url, 'ccss/') === 0) { if (strpos($url, 'ccss/') === 0) {
include WWW_ROOT . DS . Configure::read('Asset.filter.css'); include WWW_ROOT . DS . Configure::read('Asset.filter.css');
$this->_stop(); $this->_stop();

3
cake/libs/configure.php
View file

@ -235,7 +235,9 @@ class Configure extends Object {
if ($plugin) { if ($plugin) {
$pluginPath = App::pluginPath($plugin); $pluginPath = App::pluginPath($plugin);
} }
$pos = strpos($fileName, '..');
if ($pos === false) {
if ($pluginPath && file_exists($pluginPath . 'config' . DS . $fileName . '.php')) { if ($pluginPath && file_exists($pluginPath . 'config' . DS . $fileName . '.php')) {
include($pluginPath . 'config' . DS . $fileName . '.php'); include($pluginPath . 'config' . DS . $fileName . '.php');
$found = true; $found = true;
@ -254,6 +256,7 @@ class Configure extends Object {
} }
} }
} }
}
if (!$found) { if (!$found) {
return false; return false;

4
cake/tests/cases/dispatcher.test.php
View file

@ -1786,6 +1786,10 @@ class DispatcherTest extends CakeTestCase {
$Dispatcher =& new TestDispatcher(); $Dispatcher =& new TestDispatcher();
$debug = Configure::read('debug'); $debug = Configure::read('debug');
Configure::write('debug', 0); Configure::write('debug', 0);
ob_start();
$Dispatcher->dispatch('theme/test_theme/../webroot/css/test_asset.css');
$result = ob_get_clean();
$this->assertEqual(null, $result);
ob_start(); ob_start();
$Dispatcher->dispatch('theme/test_theme/flash/theme_test.swf'); $Dispatcher->dispatch('theme/test_theme/flash/theme_test.swf');

3
cake/tests/cases/libs/configure.test.php
View file

@ -222,6 +222,9 @@ class ConfigureTest extends CakeTestCase {
$result = Configure::load('config'); $result = Configure::load('config');
$this->assertTrue($result === null); $this->assertTrue($result === null);
$result = Configure::load('../../index');
$this->assertFalse($result);
} }
/** /**