From a92baeaf6fffb217260f118ad7335f1791144740 Mon Sep 17 00:00:00 2001 From: Guy Sartorelli <36352093+GuySartorelli@users.noreply.github.com> Date: Mon, 6 May 2024 13:15:26 +1200 Subject: [PATCH] FIX Allow double dots in path when not attempting directory traversal (#11219) --- src/Core/Path.php | 2 +- tests/php/Core/PathTest.php | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Core/Path.php b/src/Core/Path.php index ac19475ba26..891dc3754ce 100644 --- a/src/Core/Path.php +++ b/src/Core/Path.php @@ -34,7 +34,7 @@ public static function join(...$parts) $fullPath = static::normalise(implode(DIRECTORY_SEPARATOR, $parts)); // Protect against directory traversal vulnerability (OTG-AUTHZ-001) - if (strpos($fullPath ?? '', '..') !== false) { + if ($fullPath === '..' || str_ends_with($fullPath, '/..') || str_contains($fullPath, '../')) { throw new InvalidArgumentException('Can not collapse relative folders'); } diff --git a/tests/php/Core/PathTest.php b/tests/php/Core/PathTest.php index 02580de74d6..10dff0e8d98 100644 --- a/tests/php/Core/PathTest.php +++ b/tests/php/Core/PathTest.php @@ -48,6 +48,8 @@ public function providerTestJoinPaths() [['\\', '', '/root', '/', ' ', '/', '\\'], '/root'], // join blocks of paths [['/root/dir', 'another/path\\to/join'], '/root/dir/another/path/to/join'], + // Double dot is fine if it's not attempting directory traversal + [['/root/my..name/', 'another/path\\to/join'], '/root/my..name/another/path/to/join'], ]; // Rewrite tests for other filesystems (output arg only) @@ -79,6 +81,8 @@ public function providerTestJoinPathsErrors() [['/base', '../passwd'], 'Can not collapse relative folders'], [['/base/../', 'passwd/path'], 'Can not collapse relative folders'], [['../', 'passwd/path'], 'Can not collapse relative folders'], + [['..', 'passwd/path'], 'Can not collapse relative folders'], + [['base/..', 'passwd/path'], 'Can not collapse relative folders'], ]; }