Disallow viewing dot-files in Profiler
The file viewer in the profiler should not open files that were meant to be hidden, like specifically .env files, but similarly files like .htaccess that might expose server configuration knowledge.
This commit is contained in:
Niels Keurentjes
parent
f056b4ef5b
commit
6a2f518e74
|
|
@ -385,7 +385,7 @@ class ProfilerController
|
|||
|
||||
$filename = $this->baseDir.DIRECTORY_SEPARATOR.$file;
|
||||
|
||||
if (preg_match("'(^|[/\\\\])\.\.?([/\\\\]|$)'", $file) || !is_readable($filename)) {
|
||||
if (preg_match("'(^|[/\\\\])\.'", $file) || !is_readable($filename)) {
|
||||
throw new NotFoundHttpException(sprintf('The file "%s" cannot be opened.', $file));
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ namespace Symfony\Bundle\WebProfilerBundle\Tests\Controller;
|
|||
use PHPUnit\Framework\TestCase;
|
||||
use Symfony\Bundle\WebProfilerBundle\Controller\ProfilerController;
|
||||
use Symfony\Bundle\WebProfilerBundle\Csp\ContentSecurityPolicyHandler;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\HttpKernel\Profiler\Profile;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
|
|
@ -46,6 +47,42 @@ class ProfilerControllerTest extends TestCase
|
|||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider getOpenFileCases
|
||||
*/
|
||||
public function testOpeningDisallowedPaths($path, $isAllowed)
|
||||
{
|
||||
$urlGenerator = $this->getMockBuilder('Symfony\Component\Routing\Generator\UrlGeneratorInterface')->getMock();
|
||||
$twig = $this->getMockBuilder('Twig\Environment')->disableOriginalConstructor()->getMock();
|
||||
$profiler = $this
|
||||
->getMockBuilder('Symfony\Component\HttpKernel\Profiler\Profiler')
|
||||
->disableOriginalConstructor()
|
||||
->getMock();
|
||||
|
||||
$controller = new ProfilerController($urlGenerator, $profiler, $twig, array(), 'bottom', null, __DIR__.'/../..');
|
||||
|
||||
try {
|
||||
$response = $controller->openAction(Request::create('/_wdt/open', Request::METHOD_GET, array('file' => $path)));
|
||||
$this->assertEquals(200, $response->getStatusCode());
|
||||
$this->assertTrue($isAllowed);
|
||||
} catch (NotFoundHttpException $e) {
|
||||
$this->assertFalse($isAllowed);
|
||||
}
|
||||
}
|
||||
|
||||
public function getOpenFileCases()
|
||||
{
|
||||
return array(
|
||||
array('README.md', true),
|
||||
array('composer.json', true),
|
||||
array('Controller/ProfilerController.php', true),
|
||||
array('.gitignore', false),
|
||||
array('../TwigBundle/README.md', false),
|
||||
array('Controller/../README.md', false),
|
||||
array('Controller/./ProfilerController.php', false),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider provideCspVariants
|
||||
*/
|
||||
|
|
|
|||
Reference in New Issue