Permalink
Browse files

Prevent directory traversal and limit files deleted when clearing mod…

…FileRegister
  • Loading branch information...
opengeek committed Jul 12, 2018
1 parent 3fc5038 commit 606dc0f1635de4b699d1151616af75e5c08d4cdd
@@ -108,7 +108,7 @@
$cacheManager->deleteTree($packageDirectory . 'core',array(
'deleteTop' => true,
'skipDirs' => false,
'extensions' => '*',
'extensions' => array(),
));
}
if (!file_exists($packageDirectory . 'core') && !file_exists($packageDirectory . 'core.transport.zip')) {
@@ -4,6 +4,7 @@ development release, and is only shown to give an idea of what's currently in th

MODX Revolution 2.6.5-pl (TBD)
====================================
- Prevent directory traversal and limit files deleted when clearing modFileRegister [#13980]
- Filter user input used in phpthumb [#13979]

MODX Revolution 2.6.4-pl (June 7, 2018)
@@ -632,7 +632,7 @@ public function remove($options = array()) {
$options = array_merge(array(
'deleteTop' => true,
'skipDirs' => false,
'extensions' => '',
'extensions' => array(),
), $options);
$this->fileHandler->modx->getCacheManager();
@@ -27,16 +27,21 @@ class modFileRegister extends modRegister {
/**
* Construct a new modFileRegister instance.
*
* {@inheritdoc}
* @param modX &$modx A reference to a modX instance.
* @param string $key A valid PHP variable which will be set on the modRegistry instance.
* @param array $options Optional array of registry options.
*/
function __construct(& $modx, $key, $options = array()) {
parent :: __construct($modx, $key, $options);
function __construct(& $modx, $key, $options = array())
{
parent::__construct($modx, $key, $options);
$modx->getCacheManager();
$this->directory = $modx->getCachePath() . 'registry/';
$this->directory .= isset($options['directory'])
? $options['directory']
: $key;
if ($this->directory[strlen($this->directory)-1] != '/') $this->directory .= '/';
? $options['directory']
: $key;
$this->directory = rtrim($this->directory, '/') . '/';
}
/**
@@ -57,12 +62,16 @@ public function connect(array $attributes = array()) {
*
* {@inheritdoc}
*/
public function clear($topic) {
$topicDirectory = $this->directory;
$topicDirectory.= $topic[0] == '/' ? substr($topic, 1) : $topic ;
return $this->modx->cacheManager->deleteTree($topicDirectory, array(
'extensions' => '.msg.php'
));
public function clear($topic)
{
$topicDirectory = $this->directory . ltrim($this->sanitizePath($topic), '/');
return $this->modx->cacheManager->deleteTree(
realpath($topicDirectory),
array(
'extensions' => array('.msg.php')
)
);
}
/**
@@ -263,4 +272,14 @@ public function send($topic, $message, array $options = array()) {
public function close() {
return true;
}
/**
* Sanitize the specified path
*
* @param string $path The path to clean
* @return string The sanitized path
*/
protected function sanitizePath($path) {
return preg_replace(array("/\.*[\/|\\\]/i", "/[\/|\\\]+/i"), array('/', '/'), $path);
}
}

0 comments on commit 606dc0f

Please sign in to comment.