8000 prevent bundle readers from breaking out of paths · symfony/symfony@3d45e10 · GitHub
[go: up one dir, main page]
Skip to content

Commit 3d45e10

Browse files
xabbuhnicolas-grekas
xabbuh
authored and
nicolas-grekas
committed
prevent bundle readers from breaking out of paths
1 parent 7e93eaa commit 3d45e10

File tree

6 files changed

+41
-0
lines changed

6 files changed

+41
-0
lines changed

src/Symfony/Component/Intl/Data/Bundle/Reader/JsonBundleReader.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,11 @@ public function read($path, $locale)
3030
{
3131
$fileName = $path.'/'.$locale.'.json';
3232

33+
// prevent directory traversal attacks
34+
if (dirname($fileName) !== $path) {
35+
throw new ResourceBundleNotFoundException(sprintf('The resource bundle "%s" does not exist.', $fileName));
36+
}
37+
3338
if (!file_exists($fileName)) {
3439
throw new ResourceBundleNotFoundException(sprintf(
3540
'The resource bundle "%s/%s.json" does not exist.',

src/Symfony/Component/Intl/Data/Bundle/Reader/PhpBundleReader.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,11 @@ public function read($path, $locale)
3030
{
3131
$fileName = $path.'/'.$locale.'.php';
3232

33+
// prevent directory traversal attacks
34+
if (dirname($fileName) !== $path) {
35+
throw new ResourceBundleNotFoundException(sprintf('The resource bundle "%s" does not exist.', $fileName));
36+
}
37+
3338
if (!file_exists($fileName)) {
3439
throw new ResourceBundleNotFoundException(sprintf(
3540
'The resource bundle "%s/%s.php" does not exist.',

src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/Fixtures/invalid_directory/en.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"Foo":"Bar"}

src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/Fixtures/invalid_directory/en.php

10000 Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
return array(
13+
'Foo' => 'Bar',
14+
);

src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/JsonBundleReaderTest.php

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,4 +69,12 @@ public function testReadFailsIfInvalidJson()
6969
{
7070
$this->reader->read(__DIR__.'/Fixtures/json', 'en_Invalid');
7171
}
72+
73+
/**
74+
* @expectedException \Symfony\Component\Intl\Exception\ResourceBundleNotFoundException
75+
*/
76+
public function testReaderDoesNotBreakOutOfGivenPath()
77+
{
78+
$this->reader->read(__DIR__.'/Fixtures/json', '../invalid_directory/en');
79+
}
7280
}

src/Symfony/Component/Intl/Tests/Data/Bundle/Reader/PhpBundleReaderTest.php

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,4 +61,12 @@ public function testReadFailsIfNotAFile()
6161
{
6262
$this->reader->read(__DIR__.'/Fixtures/NotAFile', 'en');
6363
}
64+
65+
/**
66+
* @expectedException \Symfony\Component\Intl\Exception\ResourceBundleNotFoundException
67+
*/
68+
public function testReaderDoesNotBreakOutOfGivenPath()
69+
{
70+
$this->reader->read(__DIR__.'/Fixtures/php', '../invalid_directory/en');
71+
}
6472
}

0 commit comments

Comments
 (0)
0