Jingga/phpOMS
1
0
Fork 0
mirror of https://github.com/Karaka-Management/phpOMS.git synced 2026-01-11 17:58:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

More secure path validation

Browse Source
This commit is contained in:
Dennis Eichhorn 2015-12-29 20:04:06 +01:00
parent f4ad56632f
commit 3eb0ae6ff9
3 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Log/FileLogger.php
View File

@ -19,6 +19,7 @@ use phpOMS\Datatypes\Exception\InvalidEnumValue;
use phpOMS\Message\Http\Rest; use phpOMS\Message\Http\Rest;
use phpOMS\Message\RequestMethod; use phpOMS\Message\RequestMethod;
use phpOMS\System\FilePathException; use phpOMS\System\FilePathException;
use phpOMS\Validation\Validator;
/** /**
* Logging class. * Logging class.
@ -92,7 +93,7 @@ class FileLogger implements LoggerInterface
$path = realpath($lpath); $path = realpath($lpath);
if (strpos($path, ROOT_PATH) === false) { if ($path === false || Validator::startsWith($path, ROOT_PATH) === false) {
throw new FilePathException($lpath); throw new FilePathException($lpath);
} }

3
Version/Version.php
View File

@ -15,6 +15,7 @@
*/ */
namespace phpOMS\Version; namespace phpOMS\Version;
use phpOMS\System\FilePathException; use phpOMS\System\FilePathException;
use phpOMS\Validation\Validator;
/** /**
* Version class. * Version class.
@ -75,7 +76,7 @@ class Version
{ {
$path = realpath($jpath); $path = realpath($jpath);
if(strpos($path, ROOT_PATH) === false || strpos($path, 'config.php') !== false) { if($path === false || Validator::startsWith($path, ROOT_PATH) === false || strpos($path, 'config.php') !== false) {
throw new FilePathException($jpath); throw new FilePathException($jpath);
} }

3
Views/View.php
View File

@ -21,6 +21,7 @@ use phpOMS\Localization\Localization;
use phpOMS\Message\RequestAbstract; use phpOMS\Message\RequestAbstract;
use phpOMS\Message\ResponseAbstract; use phpOMS\Message\ResponseAbstract;
use phpOMS\System\FilePathException; use phpOMS\System\FilePathException;
use phpOMS\Validation\Validator;
/** /**
* List view. * List view.
@ -281,7 +282,7 @@ class View implements RenderableInterface
$this->l11n->setLang($this->app->l11nManager->getLanguage($this->response->getL11n()->getLanguage())); $this->l11n->setLang($this->app->l11nManager->getLanguage($this->response->getL11n()->getLanguage()));
$path = realpath($oldPath = __DIR__ . '/../..' . $this->template . '.tpl.php'); $path = realpath($oldPath = __DIR__ . '/../..' . $this->template . '.tpl.php');
if (strpos($path, ROOT_PATH) === false) { if ($path === false || Validator::startsWith($path, ROOT_PATH) === false) {
throw new FilePathException($oldPath); throw new FilePathException($oldPath);
} }