Permalink
Browse files

fixthatcode

  • Loading branch information...
1 parent c807eab commit a626bf069550ec52863d55d57f48385bfb3ae3da @ceeram ceeram committed Sep 4, 2012
Showing with 14 additions and 8 deletions.
  1. +14 −8 View/PdfView.php
View
22 View/PdfView.php
@@ -59,7 +59,8 @@ public function __construct(Controller $Controller = null) {
if ($Controller instanceof CakeErrorController) {
$this->subDir = null;
return $this->response->type('html');
- } elseif (!$this->pdfConfig) {
+ }
+ if (!$this->pdfConfig) {
throw new CakeException(__d('cakepdf', 'Controller attribute $pdfConfig is not correct or missing'));
}
$this->renderer($this->pdfConfig);
@@ -90,17 +91,22 @@ public function render($view = null, $layout = null) {
}
if (isset($this->pdfConfig['download']) && $this->pdfConfig['download'] === true) {
- $id = current($this->request->params['pass']);
- $filename = strtolower($this->viewPath) . $id . '.pdf';
- if (isset($this->pdfConfig['filename'])) {
- $filename = $this->pdfConfig['filename'];
- }
-
- $this->response->download($filename);
+ $this->response->download($this->getFilename());
}
$this->Blocks->set('content', $this->renderer()->output($content));
return $this->Blocks->get('content');
}
+/**
+ * Get or build a filename for forced download
+ * @return string The filename
+ */
+ public function getFilename() {
+ if (isset($this->pdfConfig['filename'])) {
+ return $this->pdfConfig['filename'];
+ }
+ $id = current($this->request->params['pass']);
+ return strtolower($this->viewPath) . $id . '.pdf';
+ }
}

1 comment on commit a626bf0

@frazr

Oops! Nice good catch on directory traversal vulnerability on line 94 👍

Please sign in to comment.