Skip to content
Permalink
Browse files

Fix path traversal check for Windows based systems

On Windows based systems, both, backward as well as forward
slashes are supported as path separators, thus checking for `DS`
only, would allow to slip in `../` fragments.

refs #5905, cad57dc
  • Loading branch information...
ndm2
ndm2 committed Aug 19, 2015
1 parent daa795d commit 8fe953548c65b85cf1a919709047fe273d932339
Showing with 15 additions and 3 deletions.
  1. +1 −1 lib/Cake/Network/CakeResponse.php
  2. +14 −2 lib/Cake/Test/Case/Network/CakeResponseTest.php
@@ -1337,7 +1337,7 @@ public function file($path, $options = array()) {
'download' => null
);
if (strpos($path, '..' . DS) !== false) {
if (strpos($path, '../') !== false || strpos($path, '..\\') !== false) {
throw new NotFoundException(__d(
'cake_dev',
'The requested file contains `..` and will not be read.'
@@ -1167,17 +1167,29 @@ public function testFileNotFound() {
}
/**
* test file with ..
* test file with ../
*
* @expectedException NotFoundException
* @expectedExceptionMessage The requested file contains `..` and will not be read.
* @return void
*/
public function testFileWithPathTraversal() {
public function testFileWithForwardSlashPathTraversal() {
$response = new CakeResponse();
$response->file('my/../cat.gif');
}
/**
* test file with ..\
*
* @expectedException NotFoundException
* @expectedExceptionMessage The requested file contains `..` and will not be read.
* @return void
*/
public function testFileWithBackwardSlashPathTraversal() {
$response = new CakeResponse();
$response->file('my\..\cat.gif');
}
/**
* Although unlikely, a file may contain dots in its filename.
* This should be allowed, as long as the dots doesn't specify a path (../ or ..\)

0 comments on commit 8fe9535

Please sign in to comment.
You can’t perform that action at this time.