security #24994 Prevent bundle readers from breaking out of paths (xabbuh)
This PR was merged into the 2.7 branch.
Discussion
----------
Prevent bundle readers from breaking out of paths
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
<!--
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Please fill in this template according to the PR you're about to submit.
- Replace this comment by a description of what your PR is solving.
-->
Commits
-------
c8f9f916b4
prevent bundle readers from breaking out of paths
This commit is contained in:
commit
097ce09140
@ -30,6 +30,11 @@ class JsonBundleReader implements BundleReaderInterface
|
|||||||
{
|
{
|
||||||
$fileName = $path.'/'.$locale.'.json';
|
$fileName = $path.'/'.$locale.'.json';
|
||||||
|
|
||||||
|
// prevent directory traversal attacks
|
||||||
|
if (dirname($fileName) !== $path) {
|
||||||
|
throw new ResourceBundleNotFoundException(sprintf('The resource bundle "%s" does not exist.', $fileName));
|
||||||
|
}
|
||||||
|
|
||||||
if (!file_exists($fileName)) {
|
if (!file_exists($fileName)) {
|
||||||
throw new ResourceBundleNotFoundException(sprintf(
|
throw new ResourceBundleNotFoundException(sprintf(
|
||||||
'The resource bundle "%s" does not exist.',
|
'The resource bundle "%s" does not exist.',
|
||||||
|
@ -30,6 +30,11 @@ class PhpBundleReader implements BundleReaderInterface
|
|||||||
{
|
{
|
||||||
$fileName = $path.'/'.$locale.'.php';
|
$fileName = $path.'/'.$locale.'.php';
|
||||||
|
|
||||||
|
// prevent directory traversal attacks
|
||||||
|
if (dirname($fileName) !== $path) {
|
||||||
|
throw new ResourceBundleNotFoundException(sprintf('The resource bundle "%s" does not exist.', $fileName));
|
||||||
|
}
|
||||||
|
|
||||||
if (!file_exists($fileName)) {
|
if (!file_exists($fileName)) {
|
||||||
throw new ResourceBundleNotFoundException(sprintf(
|
throw new ResourceBundleNotFoundException(sprintf(
|
||||||
'The resource bundle "%s/%s.php" does not exist.',
|
'The resource bundle "%s/%s.php" does not exist.',
|
||||||
|
@ -0,0 +1 @@
|
|||||||
|
{"Foo":"Bar"}
|
@ -0,0 +1,14 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This file is part of the Symfony package.
|
||||||
|
*
|
||||||
|
* (c) Fabien Potencier <fabien@symfony.com>
|
||||||
|
*
|
||||||
|
* For the full copyright and license information, please view the LICENSE
|
||||||
|
* file that was distributed with this source code.
|
||||||
|
*/
|
||||||
|
|
||||||
|
return array(
|
||||||
|
'Foo' => 'Bar',
|
||||||
|
);
|
@ -69,4 +69,12 @@ class JsonBundleReaderTest extends TestCase
|
|||||||
{
|
{
|
||||||
$this->reader->read(__DIR__.'/Fixtures/json', 'en_Invalid');
|
$this->reader->read(__DIR__.'/Fixtures/json', 'en_Invalid');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @expectedException \Symfony\Component\Intl\Exception\ResourceBundleNotFoundException
|
||||||
|
*/
|
||||||
|
public function testReaderDoesNotBreakOutOfGivenPath()
|
||||||
|
{
|
||||||
|
$this->reader->read(__DIR__.'/Fixtures/json', '../invalid_directory/en');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -61,4 +61,12 @@ class PhpBundleReaderTest extends TestCase
|
|||||||
{
|
{
|
||||||
$this->reader->read(__DIR__.'/Fixtures/NotAFile', 'en');
|
$this->reader->read(__DIR__.'/Fixtures/NotAFile', 'en');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @expectedException \Symfony\Component\Intl\Exception\ResourceBundleNotFoundException
|
||||||
|
*/
|
||||||
|
public function testReaderDoesNotBreakOutOfGivenPath()
|
||||||
|
{
|
||||||
|
$this->reader->read(__DIR__.'/Fixtures/php', '../invalid_directory/en');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user