Skip to content
GitLab
Commit df2e299d authored by Guillaume Perréal's avatar Guillaume Perréal
Browse files

UploadedFile: vérifie dans setPath que $path ne pointe pas en dehors du répertoire.

parent 6914cdd1
master 0.1.x 1.x 3.x 4.x 5-migration-vers-la-nouvelle-architecture-basee-sur-webpack-npm 6-supprimer-isdevtools 8-enrichir-le-dossier-test-sur-la-base-de-la-nouvelle-architecture 8-enrichir-le-dossier-test-sur-la-base-de-la-nouvelle-architecture-2 remplacer_assetic_par_webpack symfony3.4_ramsey_compatibility 2.1.0 2.0.2 2.0.1 2.0.0 1.0.1 1.0.0 0.1.5 0.1.4 0.1.3 0.1.2 0.1.1 0.1
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 30 additions and 1 deletion
+30 -1
Entity/UploadedFile.php
+ 30
1
View file @ df2e299d
......@@ -151,7 +151,10 @@ class UploadedFile
*/
public function setPath($path)
{
$this->path = $path;
if(!static::isSafePath($path)) {
throw new InvalidArgumentException("Unsafe path: $path");
}
$this->path = trim($path, '/');
return $this;
}
......@@ -495,4 +498,30 @@ class UploadedFile
{
return fwrite($filehandle, $maxlen);
}
/** Vérifie si
*
* @param string $path
* @return boolean
*/
public static function isSafePath($path)
{
$parts = explode('/', trim($path, '/'));
$level = 0;
foreach($parts as $part) {
switch($part) {
case '.':
break;
case '..':
$level--;
if($level < 0) {
return false;
}
break;
default:
$level++;
}
}
return true;
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment