mirror_html/filegator
1
0
Fork 0
mirror of https://github.com/filegator/filegator.git synced 2025-08-01 03:20:30 +02:00
Code Issues Projects Releases Wiki Activity

Two consecutive periods bug - fixes #202

Browse Source
This commit is contained in:
Milos Stojanovic
2021-03-23 10:30:42 +01:00
parent eda587daff
commit 86b9752b38
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/Services/Storage/Filesystem.php
View File

@@ -235,8 +235,11 @@ class Filesystem implements Service
private function applyPathPrefix(string $path): string private function applyPathPrefix(string $path): string
{ {
if (strpos($path, '..') !== false) { if ($path == '..'
$path = "/"; || strpos($path, '..'.$this->separator) !== false
|| strpos($path, $this->separator.'..') !== false
) {
$path = $this->separator;
} }
return $this->joinPaths($this->getPathPrefix(), $path); return $this->joinPaths($this->getPathPrefix(), $path);
} }

2
tests/backend/Unit/FilesystemTest.php
View File

@@ -403,6 +403,8 @@ class FilesystemTest extends TestCase
$this->assertEquals('/john/test.txt/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['test.txt/'])); $this->assertEquals('/john/test.txt/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['test.txt/']));
// no escaping path to upper dir // no escaping path to upper dir
$this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/..'])); $this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/..']));
$this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['..']));
$this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['../']));
$this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/sub/../../'])); $this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/sub/../../']));
} }