Close security vulnerability that allowed download of any file access…

…ible to the web server user

app/bundles/CoreBundle/Assets/js/libraries/ckeditor/filemanager/connectors/php/filemanager.class.php

@@ -950,7 +950,7 @@ public function download()
             $this->__log(__METHOD__.' - downloading '.$current_path);
             exit();
         } else {
-            $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'), $current_path));
+            $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'), $this->getRelPath()));
         }
     }
 
@@ -976,7 +976,7 @@ public function preview($thumbnail)
 
             exit();
         } else {
-            $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'), $current_path));
+            $this->error(sprintf($this->lang('FILE_DOES_NOT_EXIST'), $this->getRelPath()));
         }
     }
 
@@ -1107,9 +1107,7 @@ private function get_file_info($path = '', $thumbnail = false)
     private function getFullPath($path = '')
     {
         if ($path == '') {
-            if (isset($this->get['path'])) {
-                $path = $this->get['path'];
-            }
+            $path = $this->getRelPath();
         }
 
         if ($this->config['options']['fileRoot'] !== false) {
@@ -1130,6 +1128,14 @@ private function getFullPath($path = '')
         return $full_path;
     }
 
+    /**
+     * @return mixed|string
+     */
+    private function getRelPath()
+    {
+        return (isset($this->get['path'])) ? $this->get['path'] : '';
+    }
+
     /**
      * format path regarding the initial configuration.
      *
@@ -1462,7 +1468,10 @@ private function sanitize($var)
         $sanitized = strip_tags($var);
         $sanitized = str_replace('http://', '', $sanitized);
         $sanitized = str_replace('https://', '', $sanitized);
-        $sanitized = str_replace('../', '', $sanitized);
+        $count     = 1;
+        while ($count > 0) {
+            $sanitized = str_replace('../', '', $sanitized, $count);
+        }
 
         return $sanitized;
     }