Response::file() & directory traversal [3.x] #7015

quickapps · 2015-07-15T07:40:37Z

Currently the method Response::file() performs a very basic checking against "Directory Traversal" attacks by doing this:

if (strpos($path, '..') !== false) {
    throw new NotFoundException('The requested file contains `..` and will not be read.');
}

This approach doesn't allow us to work with file names containing two consecutive dots symbols, e.g. Some truncated name ... .pdf

Proposed solution, remove filename from $path before checking:

if (strpos(dirname($path), '..') !== false) {
    throw new NotFoundException('The requested file contains `..` and will not be read.');
}

The text was updated successfully, but these errors were encountered:

antograssiot · 2015-07-15T12:27:28Z

@quickapps would you like to submit a PR for this ?

fixes cakephp#7015

antograssiot · 2015-07-15T14:19:46Z

closed with #7021

lorenzo added this to the 3.0.9 milestone Jul 15, 2015

lorenzo added the enhancement label Jul 15, 2015

markstory self-assigned this Jul 15, 2015

quickapps added a commit to quickapps/cakephp that referenced this issue Jul 15, 2015

Fix directory traversal security checking

92e3e09

fixes cakephp#7015

quickapps mentioned this issue Jul 15, 2015

More accurate directory traversal security checking #7021

Merged

antograssiot closed this as completed Jul 15, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Response::file() & directory traversal [3.x] #7015

Response::file() & directory traversal [3.x] #7015

quickapps commented Jul 15, 2015

antograssiot commented Jul 15, 2015

antograssiot commented Jul 15, 2015

Response::file() & directory traversal [3.x] #7015

Response::file() & directory traversal [3.x] #7015

Comments

quickapps commented Jul 15, 2015

antograssiot commented Jul 15, 2015

antograssiot commented Jul 15, 2015