Fixed #36. Potential security risk where relative paths would take a …

…path outside of the defined root.
thephpleague · Dec 12, 2013 · dfa49f1 · dfa49f1
1 parent 6907c07
commit dfa49f1
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 4 deletions.
diff --git a/src/Flysystem/Util.php b/src/Flysystem/Util.php
@@ -77,7 +77,24 @@ public static function map(array $object, array $map)
      */
     public static function normalizePath($path, $separator = '\\/')
     {
-        return ltrim($path, $separator);
+        // Remove any kind of funky unicode whitespace
+        $normalized = preg_replace('#\p{C}+|^\./#u', '', $path);
+
+        // Path remove self referring paths ("/./").
+        $normalized = preg_replace('#/\.(?=/)|^\./|\./$#', '', $normalized);
+
+        // Regex for resolving relative paths
+        $regex = '#\/*[^/\.]+/\.\.#Uu';
+
+        while (preg_match($regex, $normalized)) {
+            $normalized = preg_replace($regex, '', $normalized);
+        }
+
+        if (preg_match('#/\.{2}|\.{2}/#', $normalized)) {
+            throw new LogicException('Path is outside of the defined root, path: [' . $path . '], resolved: [' . $normalized . ']');
+        }
+
+        return trim($normalized, $separator);
     }
 
     /**

diff --git a/tests/FilesystemTests.php b/tests/FilesystemTests.php
@@ -164,12 +164,12 @@ public function testPutFail()
     }
 
     /**
-     * @dataProvider filesystemProvider
      * @expectedException  \Flysystem\FileExistsException
      */
-    public function testFileExists($filesystem)
+    public function testFileExists()
     {
-        $filesystem->write('../FilesystemTests.php', 'something');
+        $filesystem = new Filesystem(new Adapter\Local(__DIR__));
+        $filesystem->write('FilesystemTests.php', 'something');
     }
 
     /**

diff --git a/tests/UtilTests.php b/tests/UtilTests.php
@@ -69,4 +69,29 @@ public function testInvalidValueEnsureConfig()
 	{
 		Util::ensureConfig(false);
 	}
+
+	/**
+	 * @expectedException  LogicException
+	 */
+	public function testOutsideRootPath()
+	{
+		Util::normalizePath('something/../../../hehe');
+	}
+
+	public function pathProvider()
+	{
+		return array(
+			array('/dirname/', 'dirname'),
+			array('dirname/..', ''),
+		);
+	}
+
+	/**
+	 * @dataProvider  pathProvider
+	 */
+	public function testNormalizePath($input, $expected)
+	{
+		$result = Util::normalizePath($input);
+		$this->assertEquals($expected, $result);
+	}
 }