Skip to content
Permalink
Browse files

Fix plugin view names being able to escape the plugin root directory.

Remove the ability to specify completely arbitrary view files. This is
possibly a breaking change. However, I feel the risks out weigh the
benefits in this situation. Now absolute paths must be located *within*
a configured view path.
  • Loading branch information...
markstory committed Oct 29, 2015
1 parent 1920668 commit 0c01172f48bf853f4d5aa9e6d30ff132898858dd
Showing with 28 additions and 8 deletions.
  1. +0 −3 src/View/View.php
  2. +28 −5 tests/TestCase/View/ViewTest.php
@@ -1035,9 +1035,6 @@ protected function _getViewFileName($name = null)
$name = $templatePath . $subDir . $this->_inflectViewFileName($name);
} elseif (strpos($name, DS) !== false) {
if ($name[0] === DS || $name[1] === ':') {
if (is_file($name)) {
return $name;
}
$name = trim($name, DS);
} elseif (!$plugin || $this->templatePath !== $this->name) {
$name = $templatePath . $subDir . $name;
@@ -346,11 +346,6 @@ public function testGetTemplate()
$request->action = 'display';
$request->params['pass'] = ['home'];
$ThemeView = new TestView(null, null, null, $viewOptions);
$expected = TEST_APP . 'Plugin' . DS . 'Company' . DS . 'TestPluginThree' . DS . 'src' . DS . 'Template' . DS . 'Pages' . DS . 'index.ctp';
$result = $ThemeView->getViewFileName('Company/TestPluginThree./Pages/index');
$this->assertPathEquals($expected, $result);
$ThemeView = new TestView(null, null, null, $viewOptions);
$ThemeView->theme = 'TestTheme';
$expected = TEST_APP . 'TestApp' . DS . 'Template' . DS . 'Pages' . DS . 'home.ctp';
@@ -407,6 +402,34 @@ public function testPluginGetTemplate()
$this->assertEquals($expected, $result);
}
/**
* Test that plugin files with absolute file paths are scoped
* to the plugin and do now allow any file path.
*
* @expectedException Cake\View\Exception\MissingTemplateException
* @return void
*/
public function testPluginGetTemplateAbsoluteFail()
{
$request = $this->getMock('Cake\Network\Request');
$response = $this->getMock('Cake\Network\Response');
$viewOptions = [
'plugin' => null,
'name' => 'Pages',
'viewPath' => 'Pages'
];
$request->action = 'display';
$request->params['pass'] = ['home'];
$view = new TestView(null, null, null, $viewOptions);
$expected = TEST_APP . 'Plugin' . DS . 'Company' . DS . 'TestPluginThree' . DS . 'src' . DS . 'Template' . DS . 'Pages' . DS . 'index.ctp';
$result = $view->getViewFileName('Company/TestPluginThree./Pages/index');
$this->assertPathEquals($expected, $result);
$view->getViewFileName('Company/TestPluginThree./etc/passwd');
}
/**
* Test getViewFileName method on plugin
*

0 comments on commit 0c01172

Please sign in to comment.
You can’t perform that action at this time.