composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-22 18:18:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°2538 enforce generic method to check path validity

Browse Source 
Now uses realpath() and StartsWith
This commit is contained in:
Pierre Goiffon
2019-10-16 10:43:01 +02:00
parent 29c30c1f89
commit 607d355c61
4 changed files with 58 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
application/utils.inc.php
View File

@@ -2099,18 +2099,29 @@ class utils
}
/**
* Checks that path does not contains illegal characters, like '../'
* @param string $sPath for example '/var/www/html/itop/data/backups/manual/itop_27-2019-10-03_15_35.tar.gz'
* @param string $sBasePath for example '/var/www/html/itop/data/'
*
* @param string $sPath
* @return bool false if path :
* * invalid
* * not allowed
* * not contained in base path
* Otherwise return the real path (see realpath())
*
* @return bool true if path is allowed, false otherwise
*
* @since 2.7.0
* @since 2.7.0 N°2538
*/
final public static function IsAllowedPath($sPath)
final public static function RealPath($sPath, $sBasePath)
{
$sPathNoDotDotPattern = "/^((?![\/\\\\]\.\.[\/\\\\]).)*$/";
$sFileRealPath = realpath($sPath);
if ($sFileRealPath === false)
{
return false;
}
if (!self::StartsWith($sFileRealPath, $sBasePath))
{
return false;
}
return preg_match($sPathNoDotDotPattern, $sPath) == 1;
return $sFileRealPath;
}
}