Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Ignore asset requests containing %2e in them.

urldecode URI's early to avoid issues with encoded `.` characters.

Backport d4db64f to 2.2 for a security
release.
  • Loading branch information...
commit e65c404bad24f5880c44386e821f06210a5ec74b 1 parent d8a1196
@markstory markstory authored
View
8 lib/Cake/Routing/Filter/AssetDispatcher.php
@@ -41,7 +41,7 @@ class AssetDispatcher extends DispatcherFilter {
* @return CakeResponse if the client is requesting a recognized asset, null otherwise
*/
public function beforeDispatch($event) {
- $url = $event->data['request']->url;
+ $url = urldecode($event->data['request']->url);
$response = $event->data['response'];
if (strpos($url, '..') !== false || strpos($url, '.') === false) {
@@ -61,7 +61,7 @@ public function beforeDispatch($event) {
if ($parts[0] === 'theme') {
$themeName = $parts[1];
unset($parts[0], $parts[1]);
- $fileFragment = urldecode(implode(DS, $parts));
+ $fileFragment = implode(DS, $parts);
$path = App::themePath($themeName) . 'webroot' . DS;
if (file_exists($path . $fileFragment)) {
$assetFile = $path . $fileFragment;
@@ -70,7 +70,7 @@ public function beforeDispatch($event) {
$plugin = Inflector::camelize($parts[0]);
if (CakePlugin::loaded($plugin)) {
unset($parts[0]);
- $fileFragment = urldecode(implode(DS, $parts));
+ $fileFragment = implode(DS, $parts);
$pluginWebroot = CakePlugin::path($plugin) . 'webroot' . DS;
if (file_exists($pluginWebroot . $fileFragment)) {
$assetFile = $pluginWebroot . $fileFragment;
@@ -156,4 +156,4 @@ protected function _deliverAsset(CakeResponse $response, $assetFile, $ext) {
}
}
-}
+}
View
61 lib/Cake/Test/Case/Routing/Filter/AssetDispatcherTest.php
@@ -121,4 +121,65 @@ public function testNotModified() {
$this->assertSame($response, $filter->beforeDispatch($event));
$this->assertEquals($time->format('D, j M Y H:i:s') . ' GMT', $response->modified());
}
+
+/**
+ * Test that no exceptions are thrown for //index.php type urls.
+ *
+ * @return void
+ */
+ public function test404OnDoubleSlash() {
+ $filter = new AssetDispatcher();
+
+ $response = $this->getMock('CakeResponse', array('_sendHeader'));
+ $request = new CakeRequest('//index.php');
+ $event = new CakeEvent('Dispatcher.beforeRequest', $this, compact('request', 'response'));
+
+ $this->assertNull($filter->beforeDispatch($event));
+ $this->assertFalse($event->isStopped());
+ }
+
+/**
+ * Test that attempts to traverse directories are prevented.
+ *
+ * @return void
+ */
+ public function test404OnDoubleDot() {
+ App::build(array(
+ 'Plugin' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'Plugin' . DS),
+ 'View' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'View' . DS)
+ ), APP::RESET);
+
+ $response = $this->getMock('CakeResponse', array('_sendHeader'));
+ $request = new CakeRequest('theme/test_theme/../../../../../../VERSION.txt');
+ $event = new CakeEvent('Dispatcher.beforeRequest', $this, compact('request', 'response'));
+
+ $response->expects($this->never())->method('send');
+
+ $filter = new AssetDispatcher();
+ $this->assertNull($filter->beforeDispatch($event));
+ $this->assertFalse($event->isStopped());
+ }
+
+/**
+ * Test that attempts to traverse directories with urlencoded paths fail.
+ *
+ * @return void
+ */
+ public function test404OnDoubleDotEncoded() {
+ App::build(array(
+ 'Plugin' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'Plugin' . DS),
+ 'View' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'View' . DS)
+ ), APP::RESET);
+
+ $response = $this->getMock('CakeResponse', array('_sendHeader', 'send'));
+ $request = new CakeRequest('theme/test_theme/%2e./%2e./%2e./%2e./%2e./%2e./VERSION.txt');
+ $event = new CakeEvent('Dispatcher.beforeRequest', $this, compact('request', 'response'));
+
+ $response->expects($this->never())->method('send');
+
+ $filter = new AssetDispatcher();
+ $this->assertNull($filter->beforeDispatch($event));
+ $this->assertFalse($event->isStopped());
+ }
+
}
Please sign in to comment.
Something went wrong with that request. Please try again.