v7.4.4 fixes #116

This commit is contained in:
Milos Stojanovic
2020-07-28 13:04:25 +02:00
parent 8a16c9e36c
commit 812a0a2ce0
5 changed files with 59 additions and 4 deletions

View File

@@ -2,6 +2,10 @@
## Upcoming...
## 7.4.4 - 2020-07-28 [Security]
* This version patches a security vulnerability #116 please upgrade
## 7.4.3 - 2020-07-18
* disabling axios response auto-transformation when editing content, fixes #110

View File

@@ -234,6 +234,9 @@ class Filesystem implements Service
private function applyPathPrefix(string $path): string
{
if (strpos($path, '..') !== false) {
$path = "/";
}
return $this->joinPaths($this->getPathPrefix(), $path);
}

2
dist/index.php vendored
View File

@@ -39,7 +39,7 @@ if (! defined('APP_PUBLIC_PATH')) {
}
define('APP_PUBLIC_DIR', __DIR__);
define('APP_VERSION', '7.4.3');
define('APP_VERSION', '7.4.4');
use Filegator\App;
use Filegator\Config\Config;

View File

@@ -9,7 +9,7 @@ currentMenu: install
## Download precompiled build
Precompiled build is created for non-developers. In this version, the frontend (html, css and javascript) is compiled for you and the source code is removed so the final archive contains only minimum files.
- Download: [v7.4.3](https://github.com/filegator/static/raw/master/builds/filegator_v7.4.3.zip)
- Download: [v7.4.4](https://github.com/filegator/static/raw/master/builds/filegator_v7.4.4.zip)
- Unzip files and upload them to your PHP server
- Make sure your webserver can read and write to `filegator/repository/` and `filegator/private/` folders
- Set the website document root to `filegator/dist/` directory. This is also known as 'public' folder
@@ -26,8 +26,8 @@ apt update
apt install -y wget unzip php apache2 libapache2-mod-php php-zip
cd /var/www/
wget https://github.com/filegator/static/raw/master/builds/filegator_v7.4.3.zip
unzip filegator_v7.4.3.zip && rm filegator_v7.4.3.zip
wget https://github.com/filegator/static/raw/master/builds/filegator_v7.4.4.zip
unzip filegator_v7.4.4.zip && rm filegator_v7.4.4.zip
chown -R www-data:www-data filegator/
chmod -R 775 filegator/

View File

@@ -401,6 +401,9 @@ class FilesystemTest extends TestCase
$this->assertEquals('/john/test', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/test']));
$this->assertEquals('/john/test.txt', $this->invokeMethod($this->storage, 'applyPathPrefix', ['test.txt']));
$this->assertEquals('/john/test.txt/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['test.txt/']));
// no escaping path to upper dir
$this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/..']));
$this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/sub/../../']));
}
public function testStripPathPrefix()
@@ -770,4 +773,49 @@ class FilesystemTest extends TestCase
$this->assertDirectoryExists(TEST_REPOSITORY.'/test2/test1/');
}
public function testCannotGoUpTheHomeDirUsingPathFiddle()
{
$this->storage->createFile('/', 'hidden.txt');
$this->storage->createDir('/', 'johnsub');
$this->storage->createFile('/johnsub', 'john.txt');
$this->storage->setPathPrefix('/johnsub');
$ret = $this->storage->getDirectoryCollection('/');
$ret->resetTimestamps(-1);
$this->assertJsonStringEqualsJsonString(json_encode([
'location' => '/',
'files' => [
0 => [
'type' => 'file',
'path' => '/john.txt',
'name' => 'john.txt',
'size' => 0,
'time' => -1,
],
],
]), json_encode($ret));
$ret = $this->storage->getDirectoryCollection('/..');
$ret->resetTimestamps(-1);
$this->assertJsonStringEqualsJsonString(json_encode([
'location' => '/..',
'files' => [
0 => [
'type' => 'back',
'path' => '/',
'name' => '..',
'size' => 0,
'time' => -1,
],
1 => [
'type' => 'file',
'path' => '/john.txt',
'name' => 'john.txt',
'size' => 0,
'time' => -1,
],
],
]), json_encode($ret));
}
}