Adding checks for directory traversal attempts related to recent changes allowing plugins and themes to include their own webroot/* assets

2025-01-31 09:06:17 +00:00 · 2009-11-25 12:41:19 -06:00 · 2009-11-25 12:41:19 -06:00 · d685c18720
commit d685c18720
parent 49c11a8219
4 changed files with 27 additions and 17 deletions
--- a/cake/dispatcher.php
+++ b/cake/dispatcher.php
@ -600,7 +600,7 @@ class Dispatcher extends Object {
 * @access public
 */
 	function cached($url) {
-		if (strpos($url, '.')) {
+		if (strpos($url, '..') === false && strpos($url, '.')) {
 			if (strpos($url, 'ccss/') === 0) {
 				include WWW_ROOT . DS . Configure::read('Asset.filter.css');
 				$this->_stop();
--- a/cake/libs/configure.php
+++ b/cake/libs/configure.php
@ -235,22 +235,25 @@ class Configure extends Object {
 		if ($plugin) {
 			$pluginPath = App::pluginPath($plugin);
 		}
-
-		if ($pluginPath && file_exists($pluginPath . 'config' . DS . $fileName . '.php')) {
-			include($pluginPath . 'config' . DS . $fileName . '.php');
-			$found = true;
-		} elseif (file_exists(CONFIGS . $fileName . '.php')) {
-			include(CONFIGS . $fileName . '.php');
-			$found = true;
-		} elseif (file_exists(CACHE . 'persistent' . DS . $fileName . '.php')) {
-			include(CACHE . 'persistent' . DS . $fileName . '.php');
-			$found = true;
-		} else {
-			foreach (App::core('cake') as $key => $path) {
-				if (file_exists($path . DS . 'config' . DS . $fileName . '.php')) {
-					include($path . DS . 'config' . DS . $fileName . '.php');
-					$found = true;
-					break;
+		$pos = strpos($fileName, '..');
+		
+		if ($pos === false) {
+			if ($pluginPath && file_exists($pluginPath . 'config' . DS . $fileName . '.php')) {
+				include($pluginPath . 'config' . DS . $fileName . '.php');
+				$found = true;
+			} elseif (file_exists(CONFIGS . $fileName . '.php')) {
+				include(CONFIGS . $fileName . '.php');
+				$found = true;
+			} elseif (file_exists(CACHE . 'persistent' . DS . $fileName . '.php')) {
+				include(CACHE . 'persistent' . DS . $fileName . '.php');
+				$found = true;
+			} else {
+				foreach (App::core('cake') as $key => $path) {
+					if (file_exists($path . DS . 'config' . DS . $fileName . '.php')) {
+						include($path . DS . 'config' . DS . $fileName . '.php');
+						$found = true;
+						break;
+					}
 				}
 			}
 		}
--- a/cake/tests/cases/dispatcher.test.php
+++ b/cake/tests/cases/dispatcher.test.php
@ -1786,6 +1786,10 @@ class DispatcherTest extends CakeTestCase {
 		$Dispatcher =& new TestDispatcher();
 		$debug = Configure::read('debug');
 		Configure::write('debug', 0);
+		ob_start();
+		$Dispatcher->dispatch('theme/test_theme/../webroot/css/test_asset.css');
+		$result = ob_get_clean();
+		$this->assertEqual(null, $result);
 		
 		ob_start();
 		$Dispatcher->dispatch('theme/test_theme/flash/theme_test.swf');
--- a/cake/tests/cases/libs/configure.test.php
+++ b/cake/tests/cases/libs/configure.test.php
@ -222,6 +222,9 @@ class ConfigureTest extends CakeTestCase {

 		$result = Configure::load('config');
 		$this->assertTrue($result === null);
+		
+		$result = Configure::load('../../index');
+		$this->assertFalse($result);
 	}

 /**