Fix directory traversal of .ctp files

chinpei215 · chinpei215 · commit 74c2ded8725e · 2016-11-27T18:14:44.000+09:00
diff --git a/app/Controller/PagesController.php b/app/Controller/PagesController.php
@@ -41,8 +41,9 @@ class PagesController extends AppController {
  * Displays a view
  *
  * @return void
+ * @throws ForbiddenException When a directory traversal attempt.
  * @throws NotFoundException When the view file could not be found
- *	or MissingViewException in debug mode.
+ *   or MissingViewException in debug mode.
  */
 	public function display() {
 		$path = func_get_args();
@@ -51,6 +52,9 @@ public function display() {
 		if (!$count) {
 			return $this->redirect('/');
 		}
+		if (in_array('..', $path, true) || in_array('.', $path, true)) {
+			throw new ForbiddenException();
+		}
 		$page = $subpage = $title_for_layout = null;
 
 		if (!empty($path[0])) {
diff --git a/lib/Cake/Console/Templates/skel/Controller/PagesController.php b/lib/Cake/Console/Templates/skel/Controller/PagesController.php
@@ -32,6 +32,7 @@ class PagesController extends AppController {
  * Displays a view
  *
  * @return void
+ * @throws ForbiddenException When a directory traversal attempt.
  * @throws NotFoundException When the view file could not be found
  *   or MissingViewException in debug mode.
  */
@@ -42,6 +43,9 @@ public function display() {
 		if (!$count) {
 			return $this->redirect('/');
 		}
+		if (in_array('..', $path, true) || in_array('.', $path, true)) {
+			throw new ForbiddenException();
+		}
 		$page = $subpage = $title_for_layout = null;
 
 		if (!empty($path[0])) {
diff --git a/lib/Cake/Test/Case/Controller/PagesControllerTest.php b/lib/Cake/Test/Case/Controller/PagesControllerTest.php
@@ -75,4 +75,21 @@ public function testMissingViewInDebug() {
 		$Pages = new PagesController(new CakeRequest(null, false), new CakeResponse());
 		$Pages->display('non_existing_page');
 	}
+
+/**
+ * Test directory traversal protection
+ *
+ * @expectedException ForbiddenException
+ * @expectedExceptionCode 403
+ * @return void
+ */
+	public function testDirectoryTraversalProtection() {
+		App::build(array(
+			'View' => array(
+				CAKE . 'Test' . DS . 'test_app' . DS . 'View' . DS
+			)
+		));
+		$Pages = new PagesController(new CakeRequest(null, false), new CakeResponse());
+		$Pages->display('..', 'Posts', 'index');
+	}
 }
