Permalink
Browse files

Don't load classnames with `..` in their names.

Classnames with . in them are invalid and can be leveraged to load code
outside of an application by traversing directories.
  • Loading branch information...
1 parent da033cb commit 9754789b697c1d1430e6ca2f62341d405e20f6f4 @markstory markstory committed Jul 1, 2013
Showing with 3 additions and 0 deletions.
  1. +3 −0 lib/Cake/Core/App.php
View
3 lib/Cake/Core/App.php
@@ -535,6 +535,9 @@ public static function load($className) {
if (!isset(self::$_classMap[$className])) {
return false;
}
+ if (strpos($className, '..')) {
+ return false;
+ }
$parts = explode('.', self::$_classMap[$className], 2);
list($plugin, $package) = count($parts) > 1 ? $parts : array(null, current($parts));

0 comments on commit 9754789

Please sign in to comment.