From da70e92cc147b114590b155bc71185cc205d1702 Mon Sep 17 00:00:00 2001 From: Dmitry Demidovsky Date: Fri, 4 Dec 2015 14:02:02 +0300 Subject: [PATCH 1/5] normalize paths before checking allowed dirs --- lib/Minify/Source/Factory.php | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/lib/Minify/Source/Factory.php b/lib/Minify/Source/Factory.php index 8b41e55..4f28d0e 100644 --- a/lib/Minify/Source/Factory.php +++ b/lib/Minify/Source/Factory.php @@ -110,6 +110,25 @@ class Minify_Source_Factory { return $realpath; } + + /** + * @param string $path + * @return string + */ + public function getNormalizedPath($path) + { + // turn windows-style slashes into unix-style + $norm = str_replace("\\", "/", $path); + + // lowercase drive letter + if (preg_match('/^\w:/', $norm)) { + $norm = lcfirst($norm); + } + + return $norm; + } + + /** * @param mixed $spec * @@ -140,7 +159,7 @@ class Minify_Source_Factory { if ($this->options['checkAllowDirs']) { foreach ((array)$this->options['allowDirs'] as $allowDir) { - if (strpos($spec['filepath'], $allowDir) !== 0) { + if (strpos($this->getNormalizedPath($spec['filepath']), $this->getNormalizedPath($allowDir)) !== 0) { throw new Minify_Source_FactoryException("File '{$spec['filepath']}' is outside \$allowDirs." . " If the path is resolved via an alias/symlink, look into the \$min_symlinks option."); } From 3f02443c1f3e76ebd949a2322f4b2d3fe40c26f2 Mon Sep 17 00:00:00 2001 From: Dmitry Demidovsky Date: Sat, 5 Dec 2015 17:51:58 +0300 Subject: [PATCH 2/5] Added rtrim, removed preg_match --- lib/Minify/Source/Factory.php | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/lib/Minify/Source/Factory.php b/lib/Minify/Source/Factory.php index 4f28d0e..cc3648a 100644 --- a/lib/Minify/Source/Factory.php +++ b/lib/Minify/Source/Factory.php @@ -112,20 +112,15 @@ class Minify_Source_Factory { /** - * @param string $path + * @param string $path * @return string */ public function getNormalizedPath($path) { - // turn windows-style slashes into unix-style - $norm = str_replace("\\", "/", $path); - - // lowercase drive letter - if (preg_match('/^\w:/', $norm)) { - $norm = lcfirst($norm); - } - - return $norm; + // turn windows-style slashes into unix-style, + // remove trailing slash + // and lowercase drive letter + return lcfirst(rtrim(str_replace('\\', '/', $path), '/')); } From 3fcb383f4916b7e441a55ae7dde3ed249cef1bcb Mon Sep 17 00:00:00 2001 From: Dmitry Demidovsky Date: Sat, 5 Dec 2015 22:58:00 +0300 Subject: [PATCH 3/5] Changed allowDirs comparsion logic #497 --- lib/Minify/Source/Factory.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/Minify/Source/Factory.php b/lib/Minify/Source/Factory.php index cc3648a..2cec8d6 100644 --- a/lib/Minify/Source/Factory.php +++ b/lib/Minify/Source/Factory.php @@ -153,12 +153,17 @@ class Minify_Source_Factory { } if ($this->options['checkAllowDirs']) { + $inAllowedDir = false; foreach ((array)$this->options['allowDirs'] as $allowDir) { - if (strpos($this->getNormalizedPath($spec['filepath']), $this->getNormalizedPath($allowDir)) !== 0) { - throw new Minify_Source_FactoryException("File '{$spec['filepath']}' is outside \$allowDirs." - . " If the path is resolved via an alias/symlink, look into the \$min_symlinks option."); + if (strpos($this->getNormalizedPath($spec['filepath']), $this->getNormalizedPath($allowDir)) === 0) { + $inAllowedDir = true; } } + + if (!$inAllowedDir) { + throw new Minify_Source_FactoryException("File '{$spec['filepath']}' is outside \$allowDirs." + . " If the path is resolved via an alias/symlink, look into the \$min_symlinks option."); + } } $basename = basename($spec['filepath']); From 01d4835d146d2b964ea3f91928b2bf105ac72eeb Mon Sep 17 00:00:00 2001 From: Dmitry Demidovsky Date: Sat, 5 Dec 2015 23:00:11 +0300 Subject: [PATCH 4/5] translate legacy setting to option for source factory (AllowDir) --- index.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/index.php b/index.php index dbe285f..938a49b 100644 --- a/index.php +++ b/index.php @@ -120,6 +120,11 @@ $sourceFactoryOptions = array(); if (isset($min_serveOptions['minApp']['noMinPattern'])) { $sourceFactoryOptions['noMinPattern'] = $min_serveOptions['minApp']['noMinPattern']; } + +if (isset($min_serveOptions['minApp']['allowDirs'])) { + $sourceFactoryOptions['allowDirs'] = $min_serveOptions['minApp']['allowDirs']; +} + $sourceFactory = new Minify_Source_Factory($env, $sourceFactoryOptions, $cache); $controller = call_user_func($min_factories['controller'], $env, $sourceFactory); From 14bde12d3bff234475e9855adf029d1ff9a3fa9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Fri, 22 Jan 2016 08:50:13 +0200 Subject: [PATCH 5/5] changes as per comments https://github.com/mrclay/minify/pull/496#discussion_r50247608 --- lib/Minify/Source/Factory.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/Minify/Source/Factory.php b/lib/Minify/Source/Factory.php index 2cec8d6..c65ce6d 100644 --- a/lib/Minify/Source/Factory.php +++ b/lib/Minify/Source/Factory.php @@ -110,20 +110,20 @@ class Minify_Source_Factory { return $realpath; } - /** - * @param string $path + * turn windows-style slashes into unix-style, + * remove trailing slash + * and lowercase drive letter + * + * @param string $path absolute path + * * @return string */ public function getNormalizedPath($path) { - // turn windows-style slashes into unix-style, - // remove trailing slash - // and lowercase drive letter return lcfirst(rtrim(str_replace('\\', '/', $path), '/')); } - /** * @param mixed $spec *