Skip to content

Commit

Permalink
Fix plugin view names being able to escape the plugin root directory.
Browse files Browse the repository at this point in the history
Remove the ability to specify completely arbitrary view files. This is
possibly a breaking change. However, I feel the risks out weigh the
benefits in this situation. Now absolute paths must be located *within*
a configured view path.
  • Loading branch information
markstory committed Nov 2, 2015
1 parent d220616 commit 5e60cc5
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 3 deletions.
20 changes: 20 additions & 0 deletions lib/Cake/Test/Case/View/ViewTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -395,6 +395,26 @@ public function testGetTemplate() {
$this->assertEquals($expected, $result);
}

/**
* Test that plugin files with absolute file paths are scoped
* to the plugin and do now allow any file path.
*
* @expectedException MissingViewException
* @return void
*/
public function testPluginGetTemplateAbsoluteFail() {
$this->Controller->viewPath = 'Pages';
$this->Controller->action = 'display';
$this->Controller->params['pass'] = array('home');

$view = new TestThemeView($this->Controller);
$expected = CAKE . 'Test' . DS . 'test_app' . DS . 'Plugin' . DS . 'Company' . DS . 'TestPluginThree' . DS . 'View' . DS . 'Pages' . DS . 'index.ctp';
$result = $view->getViewFileName('Company/TestPluginThree./Pages/index');
$this->assertPathEquals($expected, $result);

$view->getViewFileName('Company/TestPluginThree./etc/passwd');
}

/**
* Test getLayoutFileName method on plugin
*
Expand Down
3 changes: 0 additions & 3 deletions lib/Cake/View/View.php
Original file line number Diff line number Diff line change
Expand Up @@ -1012,9 +1012,6 @@ protected function _getViewFileName($name = null) {
$name = $this->viewPath . DS . $subDir . Inflector::underscore($name);
} elseif (strpos($name, DS) !== false) {
if ($name[0] === DS || $name[1] === ':') {
if (is_file($name)) {
return $name;
}
$name = trim($name, DS);
} elseif ($name[0] === '.') {
$name = substr($name, 3);
Expand Down

0 comments on commit 5e60cc5

Please sign in to comment.