New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preventing deleting any file in registry by mistake and filtering paths in topics #13980
Preventing deleting any file in registry by mistake and filtering paths in topics #13980
Conversation
|
@OptimusCrime Hi, could you have a look? |
| * @return string The sanitized path | ||
| */ | ||
| protected function sanitizePath($path) { | ||
| return preg_replace(array("/\.*[\/|\\\]/i", "/[\/|\\\]+/i"), array('/', '/'), $path); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason the two expressions can not be merged to /\.*[\/|\\]+/i? It should match both ../, ..//// and ////. You might also want to consider an expression such as (?:\.*[\/|\\]+)+. This matches ../../....////// too.
|
Looks fine to me. The expression can be improved/combined I think. I do not have the security issue available, so I do not know just what the attack vector is. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my opinion, all files in the specified registry topic should be removed, so I find the extensions part of this extraneous. I'm going to submit a security fix that addresses only the path traversal issue. We can discuss the extensions issue later. Regardless, the change to _build/transport.core.php should not be in here.
What does it do?
It fixes some issues with path traversal in the cache manager and determining file extensions for deleting.
Why is it needed?
It is a security fix, let's discuss details personally in Slack.
Related issue(s)/PR(s)
none