From 82236324b56efb31b20d186b4c880d5bd501115f Mon Sep 17 00:00:00 2001 From: Victor Berchet Date: Mon, 21 May 2012 15:52:36 +0200 Subject: [PATCH 1/2] [HttpFoundation] Fix the UploadedFilename name sanitization (fix #2577) --- .../HttpFoundation/File/UploadedFile.php | 4 ++- .../HttpFoundation/File/UploadedFileTest.php | 35 ++++++++++--------- 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/src/Symfony/Component/HttpFoundation/File/UploadedFile.php b/src/Symfony/Component/HttpFoundation/File/UploadedFile.php index 4e51c50010..dcd2919773 100644 --- a/src/Symfony/Component/HttpFoundation/File/UploadedFile.php +++ b/src/Symfony/Component/HttpFoundation/File/UploadedFile.php @@ -94,7 +94,9 @@ class UploadedFile extends File throw new FileException(sprintf('Unable to create UploadedFile because "file_uploads" is disabled in your php.ini file (%s)', get_cfg_var('cfg_file_path'))); } - $this->originalName = basename($originalName); + $originalName = str_replace('\\', '/', $originalName); + $pos = strrpos($originalName, '/'); + $this->originalName = false === $pos ? $originalName : substr($originalName, $pos + 1); $this->mimeType = $mimeType ?: 'application/octet-stream'; $this->size = $size; $this->error = $error ?: UPLOAD_ERR_OK; diff --git a/tests/Symfony/Tests/Component/HttpFoundation/File/UploadedFileTest.php b/tests/Symfony/Tests/Component/HttpFoundation/File/UploadedFileTest.php index 7152a00601..85879ea4a1 100644 --- a/tests/Symfony/Tests/Component/HttpFoundation/File/UploadedFileTest.php +++ b/tests/Symfony/Tests/Component/HttpFoundation/File/UploadedFileTest.php @@ -76,19 +76,6 @@ class UploadedFileTest extends \PHPUnit_Framework_TestCase $this->assertEquals(UPLOAD_ERR_OK, $file->getError()); } - public function testGetClientOriginalName() - { - $file = new UploadedFile( - __DIR__.'/Fixtures/test.gif', - 'original.gif', - 'image/gif', - filesize(__DIR__.'/Fixtures/test.gif'), - null - ); - - $this->assertEquals('original.gif', $file->getClientOriginalName()); - } - /** * @expectedException Symfony\Component\HttpFoundation\File\Exception\FileException */ @@ -132,18 +119,32 @@ class UploadedFileTest extends \PHPUnit_Framework_TestCase @unlink($targetPath); } - - public function testGetClientOriginalNameSanitizeFilename() + /** + * @dataProvider getClientFilenameFixtures + */ + public function testGetClientOriginalNameSanitizeFilename($filename, $sanitizedFilename) { $file = new UploadedFile( __DIR__.'/Fixtures/test.gif', - '../../original.gif', + $filename, 'image/gif', filesize(__DIR__.'/Fixtures/test.gif'), null ); - $this->assertEquals('original.gif', $file->getClientOriginalName()); + $this->assertEquals($sanitizedFilename, $file->getClientOriginalName()); + } + + public function getClientFilenameFixtures() + { + return array( + array('original.gif', 'original.gif'), + array('..\\..\\original.gif', 'original.gif'), + array('../../original.gif', 'original.gif'), + array('файлfile.gif', 'файлfile.gif'), + array('..\\..\\файлfile.gif', 'файлfile.gif'), + array('../../файлfile.gif', 'файлfile.gif'), + ); } public function testGetSize() From c01fed0c89577ed8fb0deada943016bc372d8076 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Mon, 21 May 2012 22:25:19 +0200 Subject: [PATCH 2/2] fixed CS --- .../DependencyInjection/FrameworkExtension.php | 2 +- .../FrameworkBundle/Resources/views/Form/attributes.html.php | 2 +- .../Resources/views/Form/container_attributes.html.php | 2 +- .../FrameworkBundle/Resources/views/Form/field_label.html.php | 2 +- .../FrameworkBundle/Resources/views/Form/form_label.html.php | 2 +- .../Bundle/FrameworkBundle/Templating/Helper/FormHelper.php | 2 +- src/Symfony/Component/Form/Util/PropertyPath.php | 2 +- src/Symfony/Component/HttpKernel/Debug/ExceptionHandler.php | 2 +- .../Component/Routing/Matcher/Dumper/ApacheMatcherDumper.php | 2 +- src/Symfony/Component/Routing/RouteCompiler.php | 2 +- src/Symfony/Component/Translation/Loader/CsvFileLoader.php | 4 ++-- .../Tests/Bridge/Doctrine/Form/Type/EntityTypeTest.php | 4 ++-- tests/Symfony/Tests/Component/Finder/FinderTest.php | 4 ++-- tests/Symfony/Tests/Component/HttpFoundation/ResponseTest.php | 4 ++-- .../HttpKernel/EventListener/ExceptionListenerTest.php | 4 ++-- 15 files changed, 20 insertions(+), 20 deletions(-) diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php index 6b6542974e..989991ad34 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php @@ -604,7 +604,7 @@ class FrameworkExtension extends Extension ->replaceArgument(2, $config['debug']) ; $container->setAlias('annotation_reader', 'annotations.file_cache_reader'); - } else if('none' !== $config['cache']) { + } elseif ('none' !== $config['cache']) { $container ->getDefinition('annotations.cached_reader') ->replaceArgument(1, new Reference($config['cache'])) diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/attributes.html.php b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/attributes.html.php index 33b3c7eac1..2b3c84d066 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/attributes.html.php +++ b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/attributes.html.php @@ -4,5 +4,5 @@ name="escape($full_name) ?>" required="required" maxlength="escape($max_length) ?>" pattern="escape($pattern) ?>" - $v) { printf('%s="%s" ', $view->escape($k), $view->escape($v)); } ?> + $v) { printf('%s="%s" ', $view->escape($k), $view->escape($v)); } ?> diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/container_attributes.html.php b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/container_attributes.html.php index 24d6769fe3..e31912377d 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/container_attributes.html.php +++ b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/container_attributes.html.php @@ -1,2 +1,2 @@ id="escape($id) ?>" - $v) { printf('%s="%s" ', $view->escape($k), $view->escape($v)); } ?> + $v) { printf('%s="%s" ', $view->escape($k), $view->escape($v)); } ?> diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/field_label.html.php b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/field_label.html.php index 214b9d2c7c..c6a72d58f6 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/field_label.html.php +++ b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/field_label.html.php @@ -1,2 +1,2 @@ - + diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_label.html.php b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_label.html.php index 89149c3423..464b8c272c 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_label.html.php +++ b/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_label.html.php @@ -1,2 +1,2 @@ - + diff --git a/src/Symfony/Bundle/FrameworkBundle/Templating/Helper/FormHelper.php b/src/Symfony/Bundle/FrameworkBundle/Templating/Helper/FormHelper.php index c296ce627c..5fac49f519 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Templating/Helper/FormHelper.php +++ b/src/Symfony/Bundle/FrameworkBundle/Templating/Helper/FormHelper.php @@ -240,7 +240,7 @@ class FormHelper extends Helper return $html; } - } while (--$typeIndex >= 0); + } while (--$typeIndex >= 0); throw new FormException(sprintf( 'Unable to render the form as none of the following blocks exist: "%s".', diff --git a/src/Symfony/Component/Form/Util/PropertyPath.php b/src/Symfony/Component/Form/Util/PropertyPath.php index 3f33cd926c..529d3ce100 100644 --- a/src/Symfony/Component/Form/Util/PropertyPath.php +++ b/src/Symfony/Component/Form/Util/PropertyPath.php @@ -192,7 +192,7 @@ class PropertyPath implements \IteratorAggregate $value = $this->readProperty($objectOrArray, $i); // arrays need to be treated separately (due to PHP bug?) // http://bugs.php.net/bug.php?id=52133 - } elseif (is_array($objectOrArray)){ + } elseif (is_array($objectOrArray)) { $property = $this->elements[$i]; if (!array_key_exists($property, $objectOrArray)) { $objectOrArray[$property] = $i + 1 < $this->length ? array() : null; diff --git a/src/Symfony/Component/HttpKernel/Debug/ExceptionHandler.php b/src/Symfony/Component/HttpKernel/Debug/ExceptionHandler.php index da51170d37..02cb99d498 100644 --- a/src/Symfony/Component/HttpKernel/Debug/ExceptionHandler.php +++ b/src/Symfony/Component/HttpKernel/Debug/ExceptionHandler.php @@ -74,7 +74,7 @@ class ExceptionHandler $code = $exception instanceof HttpExceptionInterface ? $exception->getStatusCode() : 500; $exception = FlattenException::create($exception); - switch($code) { + switch ($code) { case 404: $title = 'Sorry, the page you are looking for could not be found.'; break; diff --git a/src/Symfony/Component/Routing/Matcher/Dumper/ApacheMatcherDumper.php b/src/Symfony/Component/Routing/Matcher/Dumper/ApacheMatcherDumper.php index 8be0622dc6..881e24966c 100644 --- a/src/Symfony/Component/Routing/Matcher/Dumper/ApacheMatcherDumper.php +++ b/src/Symfony/Component/Routing/Matcher/Dumper/ApacheMatcherDumper.php @@ -135,7 +135,7 @@ class ApacheMatcherDumper extends MatcherDumper { $escaped = false; $output = ''; - foreach(str_split($string) as $symbol) { + foreach (str_split($string) as $symbol) { if ($escaped) { $output .= $symbol; $escaped = false; diff --git a/src/Symfony/Component/Routing/RouteCompiler.php b/src/Symfony/Component/Routing/RouteCompiler.php index aab9329aa6..72ececc5ca 100644 --- a/src/Symfony/Component/Routing/RouteCompiler.php +++ b/src/Symfony/Component/Routing/RouteCompiler.php @@ -101,7 +101,7 @@ class RouteCompiler implements RouteCompilerInterface private function computeRegexp(array $tokens, $index, $firstOptional) { $token = $tokens[$index]; - if('text' === $token[0]) { + if ('text' === $token[0]) { // Text tokens return preg_quote($token[1], '#'); } else { diff --git a/src/Symfony/Component/Translation/Loader/CsvFileLoader.php b/src/Symfony/Component/Translation/Loader/CsvFileLoader.php index 1e9185a759..ce8930f355 100644 --- a/src/Symfony/Component/Translation/Loader/CsvFileLoader.php +++ b/src/Symfony/Component/Translation/Loader/CsvFileLoader.php @@ -41,14 +41,14 @@ class CsvFileLoader extends ArrayLoader implements LoaderInterface try { $file = new \SplFileObject($resource, 'rb'); - } catch(\RuntimeException $e) { + } catch (\RuntimeException $e) { throw new \InvalidArgumentException(sprintf('Error opening file "%s".', $resource)); } $file->setFlags(\SplFileObject::READ_CSV | \SplFileObject::SKIP_EMPTY); $file->setCsvControl($this->delimiter, $this->enclosure, $this->escape); - foreach($file as $data) { + foreach ($file as $data) { if (substr($data[0], 0, 1) === '#') { continue; } diff --git a/tests/Symfony/Tests/Bridge/Doctrine/Form/Type/EntityTypeTest.php b/tests/Symfony/Tests/Bridge/Doctrine/Form/Type/EntityTypeTest.php index c60e6d13c3..6a11456080 100644 --- a/tests/Symfony/Tests/Bridge/Doctrine/Form/Type/EntityTypeTest.php +++ b/tests/Symfony/Tests/Bridge/Doctrine/Form/Type/EntityTypeTest.php @@ -57,12 +57,12 @@ class EntityTypeTest extends TypeTestCase try { $schemaTool->dropSchema($classes); - } catch(\Exception $e) { + } catch (\Exception $e) { } try { $schemaTool->createSchema($classes); - } catch(\Exception $e) { + } catch (\Exception $e) { } } diff --git a/tests/Symfony/Tests/Component/Finder/FinderTest.php b/tests/Symfony/Tests/Component/Finder/FinderTest.php index 9cf8e3a8ee..5135f04c73 100644 --- a/tests/Symfony/Tests/Component/Finder/FinderTest.php +++ b/tests/Symfony/Tests/Component/Finder/FinderTest.php @@ -246,7 +246,7 @@ class FinderTest extends Iterator\RealIteratorTestCase $paths = array(); - foreach($finder as $file) { + foreach ($finder as $file) { $paths[] = $file->getRelativePath(); } @@ -266,7 +266,7 @@ class FinderTest extends Iterator\RealIteratorTestCase $paths = array(); - foreach($finder as $file) { + foreach ($finder as $file) { $paths[] = $file->getRelativePathname(); } diff --git a/tests/Symfony/Tests/Component/HttpFoundation/ResponseTest.php b/tests/Symfony/Tests/Component/HttpFoundation/ResponseTest.php index 26af05df7f..512d20f48f 100644 --- a/tests/Symfony/Tests/Component/HttpFoundation/ResponseTest.php +++ b/tests/Symfony/Tests/Component/HttpFoundation/ResponseTest.php @@ -308,14 +308,14 @@ class ResponseTest extends \PHPUnit_Framework_TestCase try { $response->setStatusCode(99); $this->fail(); - } catch(\InvalidArgumentException $e) { + } catch (\InvalidArgumentException $e) { $this->assertTrue($response->isInvalid()); } try { $response->setStatusCode(650); $this->fail(); - } catch(\InvalidArgumentException $e) { + } catch (\InvalidArgumentException $e) { $this->assertTrue($response->isInvalid()); } diff --git a/tests/Symfony/Tests/Component/HttpKernel/EventListener/ExceptionListenerTest.php b/tests/Symfony/Tests/Component/HttpKernel/EventListener/ExceptionListenerTest.php index 5062498366..53001d59cd 100644 --- a/tests/Symfony/Tests/Component/HttpKernel/EventListener/ExceptionListenerTest.php +++ b/tests/Symfony/Tests/Component/HttpKernel/EventListener/ExceptionListenerTest.php @@ -55,7 +55,7 @@ class ExceptionListenerTest extends \PHPUnit_Framework_TestCase try { $l->onKernelException($event2); - } catch(\Exception $e) { + } catch (\Exception $e) { $this->assertSame('foo', $e->getMessage()); } @@ -77,7 +77,7 @@ class ExceptionListenerTest extends \PHPUnit_Framework_TestCase try { $l->onKernelException($event2); - } catch(\Exception $e) { + } catch (\Exception $e) { $this->assertSame('foo', $e->getMessage()); }