Skip to content
Permalink
Browse files

Check for directory traversal in layout paths.

Refs #3945
  • Loading branch information...
markstory committed Jul 16, 2014
1 parent 0c7720e commit fcec8ef537e61573b9dfe43d2742c56b40473aaf
Showing with 24 additions and 4 deletions.
  1. +4 −4 src/View/View.php
  2. +20 −0 tests/TestCase/View/ViewTest.php
@@ -923,7 +923,6 @@ protected function _getLayoutFileName($name = null) {
$subDir = $this->layoutPath . DS;
}
list($plugin, $name) = $this->pluginSplit($name);
$paths = $this->_paths($plugin);
$layoutPaths = ['Layout' . DS . $subDir];
if (!empty($this->request->params['prefix'])) {
@@ -933,10 +932,11 @@ protected function _getLayoutFileName($name = null) {
);
}
foreach ($paths as $path) {
foreach ($this->_paths($plugin) as $path) {
foreach ($layoutPaths as $layoutPath) {
if (file_exists($path . $layoutPath . $name . $this->_ext)) {
return $path . $layoutPath . $name . $this->_ext;
$currentPath = $path . $layoutPath;
if (file_exists($currentPath . $name . $this->_ext)) {
return $this->_checkFilePath($currentPath . $name . $this->_ext, $currentPath);
}
}
}
@@ -613,6 +613,26 @@ public function testGetLayoutFileNamePrefix() {
$this->assertPathEquals($expected, $result);
}
/**
* Test that getLayoutFileName() protects against malicious directory traversal.
*
* @expectedException Cake\View\Error\MissingViewException
* @return void
*/
public function testGetLayoutFileNameDirectoryTraversal() {
$viewOptions = [
'plugin' => null,
'name' => 'Pages',
'viewPath' => 'Pages',
];
$request = $this->getMock('Cake\Network\Request');
$response = $this->getMock('Cake\Network\Response');
$view = new TestView(null, null, null, $viewOptions);
$view->ext('.php');
$view->getLayoutFileName('../../../../bootstrap');
}
/**
* Test for missing views
*

0 comments on commit fcec8ef

Please sign in to comment.
You can’t perform that action at this time.