8000 bug #49581 Avoid leading .. for temporary files from Filesystem recur… · symfony/symfony@1a5e19b · GitHub
[go: up one dir, main page]
Skip to content

Commit 1a5e19b

Browse files
nicolas-grekasnicolas-grekas
committed
bug #49581 Avoid leading .. for temporary files from Filesystem recursive remove (giosh94mhz)
This PR was merged into the 5.4 branch. Discussion ---------- Avoid leading .. for temporary files from Filesystem recursive remove | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | | License | MIT | Doc PR | Method `Filesystem::doRemove` is using renaming of parent directory before recursive removal, in order to implement atomic remove. This is a good thing, but to implement this is generating a random path name, with a modified base64 which replaces base64's `=` sign with `.`. This may lead to directory named as `path/..8U6/` which freaked out our synchronization tools and security log scanner. Since the leading `.` is already (correctly) hard-coded, I see no issue in using `_` as a safer alternative. Commits ------- 2dd8183 Avoid leading .. for temporary files from Filesystem recursive remove
2 parents c0e26fc + 2dd8183 commit 1a5e19b

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

src/Symfony/Component/Filesystem/Filesystem.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -170,7 +170,7 @@ private static function doRemove(array $files, bool $isRecursive): void
170170
}
171171
} elseif (is_dir($file)) {
172172
if (!$isRecursive) {
173-
$tmpName = \dirname(realpath($file)).'/.'.strrev(strtr(base64_encode(random_bytes(2)), '/=', '-.'));
173+
$tmpName = \dirname(realpath($file)).'/.'.strrev(strtr(base64_encode(random_bytes(2)), '/=', '-_'));
174174

175175
if (file_exists($tmpName)) {
176176
try {

0 commit comments

Comments
 (0)
0