security #24994 Prevent bundle readers from breaking out of paths (xabbuh)
This PR was merged into the 2.7 branch.
Discussion
----------
Prevent bundle readers from breaking out of paths
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
<!--
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Please fill in this template according to the PR you're about to submit.
- Replace this comment by a description of what your PR is solving.
-->
Commits
-------
c8f9f916b4 prevent bundle readers from breaking out of paths
This commit is contained in:
Fabien Potencier
commit
097ce09140
|
|
@ -30,6 +30,11 @@ class JsonBundleReader implements BundleReaderInterface
|
|||
{
|
||||
$fileName = $path.'/'.$locale.'.json';
|
||||
|
||||
// prevent directory traversal attacks
|
||||
if (dirname($fileName) !== $path) {
|
||||
throw new ResourceBundleNotFoundException(sprintf('The resource bundle "%s" does not exist.', $fileName));
|
||||
}
|
||||
|
||||
if (!file_exists($fileName)) {
|
||||
throw new ResourceBundleNotFoundException(sprintf(
|
||||
'The resource bundle "%s" does not exist.',
|
||||
|
|
|
|||
|
|
@ -30,6 +30,11 @@ class PhpBundleReader implements BundleReaderInterface
|
|||
{
|
||||
$fileName = $path.'/'.$locale.'.php';
|
||||
|
||||
// prevent directory traversal attacks
|
||||
if (dirname($fileName) !== $path) {
|
||||
throw new ResourceBundleNotFoundException(sprintf('The resource bundle "%s" does not exist.', $fileName));
|
||||
}
|
||||
|
||||
if (!file_exists($fileName)) {
|
||||
throw new ResourceBundleNotFoundException(sprintf(
|
||||
'The resource bundle "%s/%s.php" does not exist.',
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
{"Foo":"Bar"}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
<?php
|
||||
|
||||
/*
|
||||
* This file is part of the Symfony package.
|
||||
*
|
||||
* (c) Fabien Potencier <fabien@symfony.com>
|
||||
*
|
||||
* For the full copyright and license information, please view the LICENSE
|
||||
* file that was distributed with this source code.
|
||||
*/
|
||||
|
||||
return array(
|
||||
'Foo' => 'Bar',
|
||||
);
|
||||
|
|
@ -69,4 +69,12 @@ class JsonBundleReaderTest extends TestCase
|
|||
{
|
||||
$this->reader->read(__DIR__.'/Fixtures/json', 'en_Invalid');
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Symfony\Component\Intl\Exception\ResourceBundleNotFoundException
|
||||
*/
|
||||
public function testReaderDoesNotBreakOutOfGivenPath()
|
||||
{
|
||||
$this->reader->read(__DIR__.'/Fixtures/json', '../invalid_directory/en');
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,4 +61,12 @@ class PhpBundleReaderTest extends TestCase
|
|||
{
|
||||
$this->reader->read(__DIR__.'/Fixtures/NotAFile', 'en');
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Symfony\Component\Intl\Exception\ResourceBundleNotFoundException
|
||||
*/
|
||||
public function testReaderDoesNotBreakOutOfGivenPath()
|
||||
{
|
||||
$this->reader->read(__DIR__.'/Fixtures/php', '../invalid_directory/en');
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Reference in New Issue