Reject paths with funky whitespace.

thephpleague · Jun 23, 2021 · f3ad691 · f3ad691 · EduemLibrarian1 · Jul 1, 2021
1 parent 1ac14e9
commit f3ad691
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 11 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 .php_cs.cache
+.phpunit.result.cache
 php-cs-fixer
 bin
 composer.lock

diff --git a/src/CorruptedPathDetected.php b/src/CorruptedPathDetected.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace League\Flysystem;
+
+use LogicException;
+
+class CorruptedPathDetected extends LogicException implements FilesystemException
+{
+    /**
+     * @param string $path
+     * @return CorruptedPathDetected
+     */
+    public static function forPath($path)
+    {
+        return new CorruptedPathDetected("Corrupted path detected: " . $path);
+    }
+}
diff --git a/src/Util.php b/src/Util.php
@@ -5,6 +5,8 @@
 use League\Flysystem\Util\MimeType;
 use LogicException;
 
+use function strcmp;
+
 class Util
 {
     /**
@@ -102,8 +104,7 @@ public static function normalizePath($path)
     public static function normalizeRelativePath($path)
     {
         $path = str_replace('\\', '/', $path);
-        $path = static::removeFunkyWhiteSpace($path);
-
+        $path =  static::removeFunkyWhiteSpace($path);
         $parts = [];
 
         foreach (explode('/', $path) as $part) {
@@ -127,22 +128,22 @@ public static function normalizeRelativePath($path)
             }
         }
 
-        return implode('/', $parts);
+        $path = implode('/', $parts);
+
+        return $path;
     }
 
     /**
-     * Removes unprintable characters and invalid unicode characters.
+     * Rejects unprintable characters and invalid unicode characters.
      *
      * @param string $path
      *
      * @return string $path
      */
     protected static function removeFunkyWhiteSpace($path)
     {
-        // We do this check in a loop, since removing invalid unicode characters
-        // can lead to new characters being created.
-        while (preg_match('#\p{C}+|^\./#u', $path)) {
-            $path = preg_replace('#\p{C}+|^\./#u', '', $path);
+        if (preg_match('#\p{C}+#u', $path)) {
+            throw CorruptedPathDetected::forPath($path);
         }
 
         return $path;
@@ -205,7 +206,7 @@ public static function emulateDirectories(array $listing)
         $listedDirectories = [];
 
         foreach ($listing as $object) {
-            list($directories, $listedDirectories) = static::emulateObjectDirectories($object, $directories, $listedDirectories);
+            [$directories, $listedDirectories] = static::emulateObjectDirectories($object, $directories, $listedDirectories);
         }
 
         $directories = array_diff(array_unique($directories), array_unique($listedDirectories));

diff --git a/tests/UtilTests.php b/tests/UtilTests.php
@@ -35,6 +35,23 @@ public function testContentSize()
         $this->assertEquals(3, Util::contentSize('135'));
     }
 
+    /**
+     * @dataProvider dbCorruptedPath
+     */
+    public function testRejectingPathWithFunkyWhitespace($path)
+    {
+        $this->expectException(CorruptedPathDetected::class);
+        Util::normalizePath($path);
+    }
+
+    /**
+     * @return array
+     */
+    public function dbCorruptedPath()
+    {
+        return [["some\0/path.txt"], ["s\x09i.php"]];
+    }
+
     public function mapProvider()
     {
         return [
@@ -95,7 +112,7 @@ public function invalidPathProvider()
     }
 
     /**
-     * @dataProvider       invalidPathProvider
+     * @dataProvider invalidPathProvider
      */
     public function testOutsideRootPath($path)
     {
@@ -125,7 +142,6 @@ public function pathProvider()
             ['example/path/..txt', 'example/path/..txt'],
             ['\\example\\path.txt', 'example/path.txt'],
             ['\\example\\..\\path.txt', 'path.txt'],
-            ["some\0/path.txt", 'some/path.txt'],
         ];
     }