Project

General

Profile

Bug #24224 » 16593_43.patch

Administrator Admin, 2010-12-09 22:48

View differences:

t3lib/class.t3lib_div.php (Arbeitskopie)
/**
* Checks for malicious file paths.
* Returns true if no '//', '..' or '\' is in the $theFile
*
* Returns TRUE if no '//', '..', '\' or control characters are found in the $theFile.
* This should make sure that the path is not pointing 'backwards' and further doesn't contain double/back slashes.
* So it's compatible with the UNIX style path strings valid for TYPO3 internally.
* Usage: 14
*
* @param string Filepath to evaluate
* @return boolean True, if no '//', '\', '/../' is in the $theFile and $theFile doesn't begin with '../'
* @return boolean TRUE, $theFile is allowed path string
* @see http://php.net/manual/en/security.filesystem.nullbytes.php
* @todo Possible improvement: Should it rawurldecode the string first to check if any of these characters is encoded ?
*/
public static function validPathStr($theFile) {
if (strpos($theFile, '//')===false && strpos($theFile, '\\')===false && !preg_match('#(?:^\.\.|/\.\./)#', $theFile)) {
if (strpos($theFile, '//') === FALSE && strpos($theFile, '\\') === FALSE && !preg_match('#(?:^\.\.|/\.\./|[[:cntrl:]])#', $theFile)) {
return true;
}
}
......
* @return boolean
*/
public static function verifyFilenameAgainstDenyPattern($filename) {
// Filenames are not allowed to contain control characters:
if (preg_match('/[[:cntrl:]]/', $filename)) {
return FALSE;
}
if (strcmp($filename,'') && strcmp($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'],'')) {
$result = preg_match('/'.$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'].'/i',$filename);
if ($result) return false; // so if a matching filename is found, return false;
(3-3/8)