Bug #24224 » 16593_43.patch
| t3lib/class.t3lib_div.php (Arbeitskopie) | ||
|---|---|---|
|
/**
|
||
|
* Checks for malicious file paths.
|
||
|
* Returns true if no '//', '..' or '\' is in the $theFile
|
||
|
*
|
||
|
* Returns TRUE if no '//', '..', '\' or control characters are found in the $theFile.
|
||
|
* This should make sure that the path is not pointing 'backwards' and further doesn't contain double/back slashes.
|
||
|
* So it's compatible with the UNIX style path strings valid for TYPO3 internally.
|
||
|
* Usage: 14
|
||
|
*
|
||
|
* @param string Filepath to evaluate
|
||
|
* @return boolean True, if no '//', '\', '/../' is in the $theFile and $theFile doesn't begin with '../'
|
||
|
* @return boolean TRUE, $theFile is allowed path string
|
||
|
* @see http://php.net/manual/en/security.filesystem.nullbytes.php
|
||
|
* @todo Possible improvement: Should it rawurldecode the string first to check if any of these characters is encoded ?
|
||
|
*/
|
||
|
public static function validPathStr($theFile) {
|
||
|
if (strpos($theFile, '//')===false && strpos($theFile, '\\')===false && !preg_match('#(?:^\.\.|/\.\./)#', $theFile)) {
|
||
|
if (strpos($theFile, '//') === FALSE && strpos($theFile, '\\') === FALSE && !preg_match('#(?:^\.\.|/\.\./|[[:cntrl:]])#', $theFile)) {
|
||
|
return true;
|
||
|
}
|
||
|
}
|
||
| ... | ... | |
|
* @return boolean
|
||
|
*/
|
||
|
public static function verifyFilenameAgainstDenyPattern($filename) {
|
||
|
// Filenames are not allowed to contain control characters:
|
||
|
if (preg_match('/[[:cntrl:]]/', $filename)) {
|
||
|
return FALSE;
|
||
|
}
|
||
|
if (strcmp($filename,'') && strcmp($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'],'')) {
|
||
|
$result = preg_match('/'.$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'].'/i',$filename);
|
||
|
if ($result) return false; // so if a matching filename is found, return false;
|
||